Forum Discussion

WiJaN's avatar
WiJaN
Copper Contributor
May 25, 2020
Solved

Enrich data with a custom function kql

Hi! I'm looking to create a custom function in kql to add the subnet name to my result table, based on where the IP matches the subnet provided in a json array. I am using the ipv4_is_match function...
Azure Log Analytics
azure monitor
  • Noa Kuperberg's avatar
    Noa Kuperberg
    May 26, 2020

    WiJaN 

    Hey, try changing your function as shown below (I also added a test-subnet option to catch the values I have)

    let IpRangeClassify=(ip:string)
{
case(
ipv4_is_match(ip, "10.160.157.0/25"), "dsvm-subnet",
ipv4_is_match(ip, "10.160.94.0/25"), "adf-subnet",
ipv4_is_match(ip, "10.160.93.0/25"), "dsvm-subnet",
ipv4_is_match(ip, "10.160.157.0/25"), "management-subnet",
ipv4_is_match(ip, "23.102.166.0/25"), "test-subnet",
"Not in known subnet")
// let Result = print fwarray = dynamic([
//{"Name": "dsvm-subnet", "AddressPrefix": "10.160.157.0/25"},
//{"Name": "adf-subnet","AddressPrefix":"10.160.94.0/25"},
//{"Name": "dsvm-subnet","AddressPrefix":"10.160.93.0/25"},
//{"Name": "management-subnet","AddressPrefix":"10.160.95.0/25"}])
//| mvexpand fwarray
//| evaluate bag_unpack(fwarray)
//| where ipv4_is_match(ip, AddressPrefix) == true
//| project Name;
//iif(isempty(toscalar(Result)) , toscalar('Not in known subnet'), toscalar(Result))
};

     

    I got these results:

Noa Kuperberg's avatar
Noa Kuperberg
Icon for Microsoft rankMicrosoft
May 26, 2020

WiJaN 

Hey, try changing your function as shown below (I also added a test-subnet option to catch the values I have)

let IpRangeClassify=(ip:string)
{
case(
ipv4_is_match(ip, "10.160.157.0/25"), "dsvm-subnet",
ipv4_is_match(ip, "10.160.94.0/25"), "adf-subnet",
ipv4_is_match(ip, "10.160.93.0/25"), "dsvm-subnet",
ipv4_is_match(ip, "10.160.157.0/25"), "management-subnet",
ipv4_is_match(ip, "23.102.166.0/25"), "test-subnet",
"Not in known subnet")
// let Result = print fwarray = dynamic([
//{"Name": "dsvm-subnet", "AddressPrefix": "10.160.157.0/25"},
//{"Name": "adf-subnet","AddressPrefix":"10.160.94.0/25"},
//{"Name": "dsvm-subnet","AddressPrefix":"10.160.93.0/25"},
//{"Name": "management-subnet","AddressPrefix":"10.160.95.0/25"}])
//| mvexpand fwarray
//| evaluate bag_unpack(fwarray)
//| where ipv4_is_match(ip, AddressPrefix) == true
//| project Name;
//iif(isempty(toscalar(Result)) , toscalar('Not in known subnet'), toscalar(Result))
};

 

I got these results:

  • WiJaN's avatar
    WiJaN
    Copper Contributor
    May 26, 2020

    Noa KuperbergAwesome, that works perfectly!

Resources