It looks correct at first glance - I'd check your .json file, and keep in mind that by default column names are case sensitive (Name vs name). You can also try that column in bracket syntax - ["Name"] if that is what's in the json file.
Error Data collection rule is invalid Name field
Hello everyone, I hope you are well. I have been doing some log integrations to the Microsoft Sentinel tool with the logstash tool as a connector. The problem relapses that when creating a custom table DRC and doing the transformation of TimeGenerated prevents me from deploying it because I have an error in the data collection rule, showing the following error, I do not know if something similar has happened to them in which they could help me please.
2 answers
Sort by: Most helpful
-
-
JamesTran-MSFT 36,606 Reputation points Microsoft Employee
2023-09-12T18:35:01.5+00:00 Thank you for your post and I apologize for the delayed response!
Error Message:
Error Data collection rule is invalid 'Name' field is not a valid column. It should start with a letter and then any combination of alphanumeric characters and '-' , '_'.
I understand that you're using the Logstash output plugin with Data Collection Rules (DCRs) within Microsoft Sentinel and are running into the above error message after creating a custom table and doing the transformation of
TimeGenerated
. To hopefully help point you in the right direction or resolve your issue, I'll share my findings below.
Findings:
Based off the error message that you're receiving it seems that the data collection rule you created is invalid. Please make sure that the name field within the JSON that you've provided for the DCR is valid and doesn't contain any special characters or spaces.
If you're still having issues and would like to work closer with our support team on this, please let me know. I'd be happy to enable a one-time free technical support request for your subscription so you can work with our support engineers to get this issue resolved.
Additional Links:
- Use Logstash to stream logs with pipeline transformations via DCR-based API
- Troubleshooting DCR resources for ingestion into a custom table
- Microsoft Sentinel Logstash output plugin - Limitations
I hope this helps!
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.