Error Data collection rule is invalid Name field

hector martinez 10 Reputation points
2023-09-08T17:21:16.0966667+00:00

Hello everyone, I hope you are well. I have been doing some log integrations to the Microsoft Sentinel tool with the logstash tool as a connector. The problem relapses that when creating a custom table DRC and doing the transformation of TimeGenerated prevents me from deploying it because I have an error in the data collection rule, showing the following error, I do not know if something similar has happened to them in which they could help me please.Captura de pantalla 2023-09-04 183048

Captura de pantalla 2023-09-04 183149

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,124 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Anonymous
    2023-09-08T19:56:29.07+00:00

    It looks correct at first glance - I'd check your .json file, and keep in mind that by default column names are case sensitive (Name vs name). You can also try that column in bracket syntax - ["Name"] if that is what's in the json file.


  2. JamesTran-MSFT 36,606 Reputation points Microsoft Employee
    2023-09-12T18:35:01.5+00:00

    @hector martinez

    Thank you for your post and I apologize for the delayed response!

    Error Message:

    Error Data collection rule is invalid 'Name' field is not a valid column. It should start with a letter and then any combination of alphanumeric characters and '-' , '_'.

    I understand that you're using the Logstash output plugin with Data Collection Rules (DCRs) within Microsoft Sentinel and are running into the above error message after creating a custom table and doing the transformation of TimeGenerated. To hopefully help point you in the right direction or resolve your issue, I'll share my findings below.


    Findings:

    Based off the error message that you're receiving it seems that the data collection rule you created is invalid. Please make sure that the name field within the JSON that you've provided for the DCR is valid and doesn't contain any special characters or spaces.

    If you're still having issues and would like to work closer with our support team on this, please let me know. I'd be happy to enable a one-time free technical support request for your subscription so you can work with our support engineers to get this issue resolved.


    Additional Links:

    I hope this helps!

    If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.


    If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.