DCR transformkql not parsing custom log field containing special character

Hi Praveesh Shetty,

Thank you for checking on this. I’ve reviewed your scenario, and I can confirm that the suggested approach is correct and supported for resolving the issue with parsing the addr.remote field in a DCR transformation.

The behavior you’re seeing is expected. In Kusto Query Language (KQL), a dot (.) in a field name is interpreted as a property accessor, not as part of the column name itself. Because of this, fields such as addr.remote cannot be accessed using standard dot notation or by treating the name as a string literal.

To handle field names that contain special characters (including dots), KQL requires the use of bracket notation. In the context of a Data Collection Rule (DCR) transformation, source represents the incoming record, and the field must be referenced exactly as it appears using brackets.

For example: KQL

source
| extend SourceIP = tostring(source['addr.remote'])

If the JSON payload is stored as a string inside another column (for example, RawData), the payload must first be parsed, and then the field accessed using the same bracket notation:

source
| extend parsed = parse_json(RawData)
| extend SourceIP = tostring(parsed['addr.remote

This is the supported and recommended pattern for accessing JSON properties with special characters during ingestion-time transformations. No changes are required on the Fluent Bit side if the payload structure remains the same.
Conclusion
Once the transformation is updated using bracket notation, the field should ingest correctly and be queryable in Log Analytics without further changes.
Microsoft reference documentation

• Create transformations in Azure Monitor Data Collection Rules (DCRs) https://learn.microsoft.com/azure/azure-monitor/data-collection/data-collection-transformations-create
• Supported KQL features and syntax in DCR transformations https://learn.microsoft.com/azure/azure-monitor/data-collection/data-collection-transformations-kql
• parse_json() function and JSON property access in KQL https://learn.microsoft.com/kusto/query/parse-json-function
• KQL column and schema handling (special characters in field names) https://learn.microsoft.com/azure/data-explorer/kusto/query/schema-entities/columns

Hope this helps. If you have any follow-up questions, please let me know. I would be happy to help.

Please do not forget to "Accept Answer" and "up-vote" wherever the information provided helps you, as this can be beneficial to other community members.

In a DCR transformation, source already represents the incoming JSON as columns. To access a JSON property whose name contains a dot (like addr.remote), use bracket notation instead of a bare identifier or string literal.

Use this KQL in transformKql:

"transformKql": "source | extend SourceIP = tostring(source['addr.remote'])"

Key points:

• source is the virtual table for incoming data in transformations.
• addr.remote is not a valid bare column name because of the dot, so it must be referenced as ['addr.remote'].
• 'addr.remote' in the original query is just a string literal, not a column reference, so it never reads the field from the log.

If the JSON is nested inside another column (for example, all JSON is in a column called RawData), first parse that column, then use the same bracket notation on the parsed object:

source
| extend parsed = parse_json(RawData)
| extend SourceIP = tostring(parsed['addr.remote'])

Ensure the final query is flattened to a single line when placed in the DCR transformKql property.

References:

• Create a transformation in Azure Monitor
• Data collection rule (DCR) samples in Azure Monitor
• Tutorial: Add transformation in workspace data collection rule to Azure Monitor using Resource Manager templates
• Tutorial: Add a transformation in a workspace data collection rule by using the Azure portal