Still, I am getting an error 'parse' operator: Failed to resolve scalar expression named 'msg_s'

Here the same - still have this error on logs

Hi Guys , any update for this case ? I have same error

How to fix 'parse' operator: Failed to resolve scalar expression named 'msg_s' If the issue persists, please open a support ticket. Request id: 117cf54a-1039-4496-b8b1-13730efa136e

Truong Nga 10

Erroe_log_query

KranthiPakala-MSFT 46,422 Reputation points Microsoft Employee

2023-07-06T20:50:53.2666667+00:00

@Truong Nga Just checking in to see if the above information was helpful to resolve your issue. In case if you still experience the problem, as requested in my previous comment, please share additional information to further investigate on it.

Thank you
KranthiPakala-MSFT 46,422 Reputation points Microsoft Employee

2023-07-08T16:56:56.75+00:00

@Truong Nga We still have not heard back from you. Just wanted to check if the below information was helpful? If it answers your query, please do click Accept Answer and Yes for "was this answer helpful", as it might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Thank you

4 answers

KranthiPakala-MSFT 46,422 Microsoft Employee

@Truong Nga Welcome to Microsoft Q&A forum and thanks for reaching out here.

By looking at the error message, looks like the issue is raised at the first parse expression for the column msg_s.
Could you please confirm if that column/field exists in the table/data, you are looking for?

While doing my research, from this sample data provided in this documentation, I noticed that the field/column name is msg rather than msg_s.

Ref documentation: Azure Firewall logs and metrics.

Here is the sample Application Rule log data available in the Diagnostic logs for Azure Firewall:

{
  "category": "AzureFirewallApplicationRule",
  "time": "2018-04-16T23:45:04.8295030Z",
  "resourceId": "/SUBSCRIPTIONS/{subscriptionId}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/{resourceName}",
  "operationName": "AzureFirewallApplicationRuleLog",
  "properties": {
      "msg": "HTTPS request from 10.1.0.5:55640 to mydestination.com:443. Action: Allow. Rule Collection: collection1000. Rule: rule1002"
  }
}

Hence, I recommend replacing msg_s with msg in your query and see if that helps to resolve the issue. If that didn't work, I request you to please share a sample Application rule log that you are querying (Please mask/remove any sensitive information) along with your sample query text instead if the above image, so that we can assist accordingly.

Hope this information helps. Let us know how it goes.

Thank you

Please don’t forget to Accept Answer and Yes for "was this answer helpful" wherever the information provided helps you, this can be beneficial to other community members.

Morgan Ecklund 0

I have this same error. I can not run you code either can you be clear where this run from it does not appear to be a KQL. I am just use the canned KQL code from the AZFW logs 'extend' operator: Failed to resolve scalar expression named 'msg_s' Request id: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX
here is the KQL

// Azure Firewall log data 
// Start from this query if you want to parse the logs from network rules, application rules, NAT rules, IDS, threat intelligence and more to understand why certain traffic was allowed or denied. This query will show the last 100 log records but by adding simple filter statements at the end of the query the results can be tweaked. 
// Parses the azure firewall rule log data. 
// Includes network rules, application rules, threat intelligence, ips/ids, ...
AzureDiagnostics
| where Category == "AzureFirewallNetworkRule" or Category == "AzureFirewallApplicationRule"
//optionally apply filters to only look at a certain type of log data
//| where OperationName == "AzureFirewallNetworkRuleLog"
//| where OperationName == "AzureFirewallNatRuleLog"
//| where OperationName == "AzureFirewallApplicationRuleLog"
//| where OperationName == "AzureFirewallIDSLog"
//| where OperationName == "AzureFirewallThreatIntelLog"
| extend msg_original = msg_s
// normalize data so it's eassier to parse later
| extend msg_s = replace(@'. Action: Deny. Reason: SNI TLS extension was missing.', @' to no_data:no_data. Action: Deny. Rule Collection: default behavior. Rule: SNI TLS extension missing', msg_s)
| extend msg_s = replace(@'No rule matched. Proceeding with default action', @'Rule Collection: default behavior. Rule: no rule matched', msg_s)
// extract web category, then remove it from further parsing
| parse msg_s with * " Web Category: " WebCategory
| extend msg_s = replace(@'(. Web Category:).*','', msg_s)
// extract RuleCollection and Rule information, then remove it from further parsing
| parse msg_s with * ". Rule Collection: " RuleCollection ". Rule: " Rule
| extend msg_s = replace(@'(. Rule Collection:).*','', msg_s)
// extract Rule Collection Group information, then remove it from further parsing
| parse msg_s with * ". Rule Collection Group: " RuleCollectionGroup
| extend msg_s = replace(@'(. Rule Collection Group:).*','', msg_s)
// extract Policy information, then remove it from further parsing
| parse msg_s with * ". Policy: " Policy
| extend msg_s = replace(@'(. Policy:).*','', msg_s)
// extract IDS fields, for now it's always add the end, then remove it from further parsing
| parse msg_s with * ". Signature: " IDSSignatureIDInt ". IDS: " IDSSignatureDescription ". Priority: " IDSPriorityInt ". Classification: " IDSClassification
| extend msg_s = replace(@'(. Signature:).*','', msg_s)
// extra NAT info, then remove it from further parsing
| parse msg_s with * " was DNAT'ed to " NatDestination
| extend msg_s = replace(@"( was DNAT'ed to ).*",". Action: DNAT", msg_s)
// extract Threat Intellingence info, then remove it from further parsing
| parse msg_s with * ". ThreatIntel: " ThreatIntel
| extend msg_s = replace(@'(. ThreatIntel:).*','', msg_s)
// extract URL, then remove it from further parsing
| extend URL = extract(@"(Url: )(.*)(\. Action)",2,msg_s)
| extend msg_s=replace(@"(Url: .*)(Action)",@"\2",msg_s)
// parse remaining "simple" fields
| parse msg_s with Protocol " request from " SourceIP " to " Target ". Action: " Action
| extend 
    SourceIP = iif(SourceIP contains ":",strcat_array(split(SourceIP,":",0),""),SourceIP),
    SourcePort = iif(SourceIP contains ":",strcat_array(split(SourceIP,":",1),""),""),
    Target = iif(Target contains ":",strcat_array(split(Target,":",0),""),Target),
    TargetPort = iif(SourceIP contains ":",strcat_array(split(Target,":",1),""),""),
    Action = iif(Action contains ".",strcat_array(split(Action,".",0),""),Action),
    Policy = case(RuleCollection contains ":", split(RuleCollection, ":")[0] ,Policy),
    RuleCollectionGroup = case(RuleCollection contains ":", split(RuleCollection, ":")[1], RuleCollectionGroup),
    RuleCollection = case(RuleCollection contains ":", split(RuleCollection, ":")[2], RuleCollection),
    IDSSignatureID = tostring(IDSSignatureIDInt),
    IDSPriority = tostring(IDSPriorityInt)
| project msg_original,TimeGenerated,Protocol,SourceIP,SourcePort,Target,TargetPort,URL,Action, NatDestination, OperationName,ThreatIntel,IDSSignatureID,IDSSignatureDescription,IDSPriority,IDSClassification,Policy,RuleCollectionGroup,RuleCollection,Rule,WebCategory
| order by TimeGenerated
| limit 100

k govindu 0 Reputation points

2023-12-13T06:35:30.8766667+00:00

Still, I am getting an error

'parse' operator: Failed to resolve scalar expression named 'msg_s'
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Boris Shkarupelov 0 Reputation points

2024-01-31T13:57:15.2266667+00:00

Here the same - still have this error on logs
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Maciej Rybak 0 Reputation points

2024-04-15T09:46:56.27+00:00

Hi Guys , any update for this case ? I have same error
Please sign in to rate this answer.

0 comments No comments
Sign in to comment