azurekqlazure-log-analyticsazure-sentinel

Using KQL and externaldata() operator to pull infromation from Azure storage account table


Based on the Microsoft documentation it is possible to query external data via KQL using "externaldata".

I wanted to test it out and created a storage account and then simple table within (the table is in "Tables" not in "Containers")

I am ending up with error "Some aspects of the query had errors so the results are not complete".

Any pointers of what could go wrong here? My goal is to simply see the data from the table.

externaldata(RowKey:string) [h@""] with(format="raw") is the query I was using to test it out.

Link to the table was taken from Azure Storage Explorer via "Get Shared Access Signature".


Solution

  • Azure Storage Tables aren't supported as a source for external tables.

    from the documentation

    Supported external data stores are:

    • Files stored in Azure Blob Storage or in Azure Data Lake. Most commonly the data is stored in some standard format such as CSV, JSON, Parquet, AVRO, etc. For the list of supported formats, refer to supported formats.
    • SQL Server table.