Forum Discussion

Vineet Bhatia's avatar
Vineet Bhatia
Copper Contributor
Aug 28, 2017

Log analytics - Look up external source of data

We have a requirement where we should be able to lookup data from an external text file and use it in our filter conditions in the queries.   Since we did not see an option to do a lookup, we decid...
Azure Log Analytics
azure monitor
Noa Kuperberg's avatar
Noa Kuperberg
Icon for Microsoft rankMicrosoft
Aug 28, 2017

Hi,
you can do it quite like you show above. For example, here's how you can query Event logs of computers that also have security events from the last hour:
let computers_with_security_events = 

SecurityEvent | where TimeGenerated > now(-1h)  | project Computer;
Event | where TimeGenerated > now(-1h)  | where Computer in (computers_with_security_events)

 

If querying the custom log is very common, you might want to save this part as a function. If you name the function for example 'computers_in_my_custom_log' you can refer to it from any other query like this:

Event | where TimeGenerated > now(-1h) | where Computer in (computers_in_my_custom_log)
 
Hope this helps,
Noa
  • Vineet Bhatia's avatar
    Vineet Bhatia
    Copper Contributor
    Aug 30, 2017

    Thanks Noa, was able to slove the problem. It seems when I insert the custom logs using the API,its much better in terms of identifying sptring fields.

Resources