Forum Discussion

jamesReilly1000's avatar
jamesReilly1000
Copper Contributor
Jan 01, 2022

adding imported files with queries to workbooks

Trying to setup a library of stand alone queries similar to the github community repository for appInsights and then reference the actual queries in workbooks for execution.   Is this possible?   ...
azure monitor
Clive_Watson's avatar
Clive_Watson
Bronze Contributor
Jan 05, 2022

jamesReilly1000 there is a way, if you are happy to hard code the names of the files?

Step 1.  Create a new Workbook, then add a PARAMETER, use the options as below (replace the file name in the query, or use mine to test):


Step 2:  Create a Query that is simply the parameter name from the above, in my case it was kqlFind

 

 

The result should be like this, where the kqlFind parameter finds and reads the file, trhe query then reads and executes that against which ever workspace you have selcted.

 
Example workbook file, you can copy & paste, into a NEW workbook

{
  "version": "Notebook/1.0",
  "items": [
    {
      "type": 9,
      "content": {
        "version": "KqlParameterItem/1.0",
        "parameters": [
          {
            "id": "6819d2bd-23ab-4150-ad10-3ad725b6a53a",
            "version": "KqlParameterItem/1.0",
            "name": "kqlFind",
            "type": 1,
            "query": "let KQLtorun = external_data(kqlString:string)\r\n['https://raw.githubusercontent.com/clivewatson/KQLpublic/master/Queries/usage.yaml'] with (format=\"RAW\");\r\nKQLtorun\r\n| project kqlString",
            "typeSettings": {
              "multiLineText": true,
              "editorLanguage": "kql"
            },
            "timeContext": {
              "durationMs": 86400000
            },
            "queryType": 0,
            "resourceType": "microsoft.operationalinsights/workspaces"
          }
        ],
        "style": "above",
        "queryType": 0,
        "resourceType": "microsoft.operationalinsights/workspaces"
      },
      "name": "parameters - 0"
    },
    {
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
        "query": "{kqlFind}",
        "size": 0,
        "timeContext": {
          "durationMs": 86400000
        },
        "queryType": 0,
        "resourceType": "microsoft.operationalinsights/workspaces"
      },
      "name": "query - 1"
    }
  ],
  "fromTemplateId": "sentinel-UserWorkbook",
  "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}


Personally, I'd use a Query Pack to do this, as you can also assign via RBAC, the above works for a few queries but for a scale solution I'd suggest a query pack approach https://docs.microsoft.com/en-us/azure/azure-monitor/logs/query-packs 

-----------

I don't think it's in the UI yet, but this Workbook will demo the above (the Hunting Tab within is an alternate way of doing the above, not using the query in a file, but letting you type one into the workbook) and also using a Query Pack lookup and run... 
Azure-Sentinel/SentinelCentral.json at master · Azure/Azure-Sentinel · GitHub