Forum Discussion
if statment in a KQL query?
Hello, I was wondering if its possible to write an if statement in a kql query for example i have a dropdownlist, and based on the value i want to execute a query Anyone know how this is don...
Yes my parameter comes from a dropdownlist, i have json values for the dropdownlist
The parameter i will use is called {Honeytoken:label}
What i want to achieve is that based on the dropdownlist value there should be another query be executed.
for example u have this query :
SecurityEvent
| where Computer contains "MainPC"
| where EventID == 4663
I want this query to be executed in a grid form on my workbook when i choose the value file from the dropdownlist.
i was thinking of putting my query in a let variable like so :
let q =
SecurityEvent
| where Computer contains "MainPC"
| where EventID == 4663;
Then use another SecurityEvent with the iff() :
SecurityEvent
| extend test = iff({Honeytoken:label} == "File",q,"none")
So if {Honeytoken:label} is equal to File run the q variable (Query) else do "none"
But i get the error, 'extend' operator: Failed to resolve column or scalar expression named 'File'... Click to Retry.
A parameter is text, so use " " e.g.
| extend test = iff("{Honeytoken:label}" == "File","Yes its a file","No its not")
| extend test = iff("{Honeytoken:label}" == "File","Yes its a file","No its not")
| extend test = iff("{Honeytoken:label}" == "File","Yes its a file","No its not")
this works but instead of "yes its a file" i would rather return a query and not a string.
each dropdownlist value need to return a different query
I've done this another way. I have a parameter called KQLquery, which has the KQL in a JSON drop-down.
Then all you need to do is "Add a query" and use the parameter name {KQLquery} in this case.