Is it possible to rename a column that contains special signs and numbers in microsoft azure in KQL?

Question

I started working with Microsoft's sentinel one.

I'm working on gathering information from the logs that sentinel is producing. For better readability, I want to change the names of the columns that I'm projecting, but couldn't rename a column that contained numbers and special characters. I'm using KQL to gather the logs from sentinel

AuditLogs
| where OperationName == "Add group" or OperationName == "Delete group"
| where TimeGenerated > ago(20d)
| project TargetResources[0].displayName, OperationName, ActivityDateTime
| project-rename GroupName = TargetResources[0].displayName, Time = ActivityDateTime, Type = OperationName

So renaming the columns: ActivityDateTime & OperationName is working, but I get an error that says "column name expected" when trying to rename the first column. Even though it appear when running that code.

Is there a way to rename that column?

maced · Accepted Answer

Extend operator is used to create a calculated column and new column is appended to result set. Since you just need to rename a column you can do it with project operator. project-rename doesn't work for expressions.

AuditLogs
| where OperationName == "Add group" or OperationName == "Delete group"
| where TimeGenerated > ago(20d)
| project GroupName=TargetResources[0].displayName, Type=OperationName, Time = ActivityDateTime

Is it possible to rename a column that contains special signs and numbers in microsoft azure in KQL?

Answers (2)

Related Questions