app returns all fields from Log analytics, even unused ones.

[EricMooreHays]

We used the previous, now obsolete TA_log_analytics to pull Azure data. Have now converted over to this new app, and we're pleased with it.

One suggestion for improvment. That App had a check in the code to only carry forward into the Splunk_event those columns from teh Log data that had values. very helpful in reducing hte data ingets volumes. We have one tale for example that has about 380 columns, butonly 20-30 used. Reduced the data ingest by about 10x.

The following crude code alteration or azure_kql.py achieve the same end. Worth considering?

                  for row in table["rows"]:
                        splunk_event = {}
                        splunk_event["Table"] = table["name"]
                        for num, value in enumerate(row):
                            try:
                                 splunk_event[columns[num]] = json.loads(value)
                            except ValueError:
                                # if the value is not JSON, leave it
                                if value == "":
                                    continue
                                else:
                                    splunk_event[columns[num]] = value
                            except Exception as e:
                                # catch anything else
                                #if value is None:
                                #    splunk_event[columns[num]] = ''
                                continue

[JasonConger]

Duplicate: https://github.com/splunk/splunk-add-on-microsoft-azure/issues/15

[EricMooreHays]

Sorry...

[JasonConger]

Thanks for the code snippet. If you would like to submit a pull request to contribute, that is cool too.

[EricMooreHays]

That would be dangerous - I only code reliably in Fortran!!!!