kqlazure-sentinel

Use KQL query to return a list of column names


I'm creating a workbook in Microsoft Sentinel, and I want to add some parameters to make the queries populating the panels more flexible. Specifically, I want to have a drop-down parameter with a list of all column names for a given table. This column name will be then be used in downstream queries.

Is there a KQL query that can return all column names for a given table? It looks like .show isn't supported in Log Analytics/Sentinel

Worst comes to worst I can make it a text field but would strongly prefer to have a drop-down menu


Solution

  • you can use the getschema function!

    https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/getschemaoperator

    tablename | getschema