Skip to content

Adding msg_s column in AzureFirewall DNS parsers#14609

Open
dhanunjaya1054 wants to merge 1 commit into
Azure:masterfrom
dhanunjaya1054:AgariDataConnector
Open

Adding msg_s column in AzureFirewall DNS parsers#14609
dhanunjaya1054 wants to merge 1 commit into
Azure:masterfrom
dhanunjaya1054:AgariDataConnector

Conversation

@dhanunjaya1054

Copy link
Copy Markdown
Contributor

Required items, please complete

Change(s):

  • Added msg_s = column_ifexists("msg_s", "") to both legacy AzureDiagnostics branches in ASimDnsAzureFirewall and vimDnsAzureFirewall DNS parsers.

Reason for Change(s):

  • In resource-specific mode (logs go only to AZFWDnsQuery), msg_s doesn't exist in AzureDiagnostics, causing 'Failed to resolve scalar expression named 'msg_s'' which aborted the whole union. column_ifexists makes the reference safe and backward-compatible.

Version Updated:

  • Both parsers bumped 0.4.0 → 0.4.1 (N/A for Detections/Analytic Rules).

Testing Completed:

  • Yes

@dhanunjaya1054 dhanunjaya1054 requested review from a team as code owners July 2, 2026 08:17
@v-atulyadav v-atulyadav requested a review from Copilot July 2, 2026 08:39
@v-atulyadav v-atulyadav self-assigned this Jul 2, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Updates the Azure Firewall DNS ASIM parsers to safely reference msg_s in AzureDiagnostics by using column_ifexists, preventing unions from failing when the column is absent (e.g., resource-specific logging scenarios).

Changes:

  • Bumped parser versions from 0.4.0 to 0.4.1 and updated LastUpdated dates.
  • Added extend msg_s = column_ifexists("msg_s", "") to legacy AzureDiagnostics branches in both parsers.
  • Added explanatory comments describing why column_ifexists is required.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
Parsers/ASimDns/Parsers/vimDnsAzureFirewall.yaml Makes msg_s access safe in AzureDiagnostics DNS proxy branches to avoid union aborts.
Parsers/ASimDns/Parsers/ASimDnsAzureFirewall.yaml Same msg_s safety fix for the main ASIM parser, plus version/date bump.

Comment on lines +61 to 62
| extend msg_s = column_ifexists("msg_s", "")
| project msg_s, TimeGenerated, ResourceId, SubscriptionId
Comment on lines +61 to 63
| extend msg_s = column_ifexists("msg_s", "")
| project msg_s, TimeGenerated, ResourceId, SubscriptionId
| where msg_s startswith " Error:"
@yummyblabla

Copy link
Copy Markdown
Collaborator

@dhanunjaya1054 Update the changelog files that you've made the change to the two parsers.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants