@Truong Nga Welcome to Microsoft Q&A forum and thanks for reaching out here.
By looking at the error message, looks like the issue is raised at the first parse expression for the column msg_s
.
Could you please confirm if that column/field exists in the table/data, you are looking for?
While doing my research, from this sample data provided in this documentation, I noticed that the field/column name is msg
rather than msg_s
.
Ref documentation: Azure Firewall logs and metrics.
Here is the sample Application Rule log data available in the Diagnostic logs for Azure Firewall:
{
"category": "AzureFirewallApplicationRule",
"time": "2018-04-16T23:45:04.8295030Z",
"resourceId": "/SUBSCRIPTIONS/{subscriptionId}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/{resourceName}",
"operationName": "AzureFirewallApplicationRuleLog",
"properties": {
"msg": "HTTPS request from 10.1.0.5:55640 to mydestination.com:443. Action: Allow. Rule Collection: collection1000. Rule: rule1002"
}
}
Hence, I recommend replacing msg_s
with msg
in your query and see if that helps to resolve the issue. If that didn't work, I request you to please share a sample Application rule log
that you are querying (Please mask/remove any sensitive information) along with your sample query text instead if the above image, so that we can assist accordingly.
Hope this information helps. Let us know how it goes.
Thank you
Please don’t forget to Accept Answer
and Yes
for "was this answer helpful" wherever the information provided helps you, this can be beneficial to other community members.