Forum Discussion

Vineet Bhatia's avatar
Vineet Bhatia
Copper Contributor
Aug 28, 2017

Log analytics - Look up external source of data

We have a requirement where we should be able to lookup data from an external text file and use it in our filter conditions in the queries.   Since we did not see an option to do a lookup, we decid...
Azure Log Analytics
azure monitor
Ketan Ghelani's avatar
Ketan Ghelani
Former Employee
Aug 29, 2017

For your query specifically it seems like this should work, assuming you have ingested using Custom Logs functioanlity data from Custom Logs into the table User4_CL.

//Assuming your table User4_CL has username as a column - or substitute with appropriate colum.

let users=Users4_CL | summarize makeset(username);

SecurityEvent| where SubjectUserName in (users) | project RawData)

  • Vineet Bhatia's avatar
    Vineet Bhatia
    Copper Contributor
    Aug 30, 2017

    Thanks Ketan, i was able to make it work, my query was slightly different.

     

    let arr = (search "whitelistusers_CL"  | project Name_s );


    let foo = (tableName:string) {     table(tableName) | project Name_s }; 

    let b = foo('whitelistusers_CL');

     

    SecurityEvent
    | where SubjectUserName in (b)

    • Ketan Ghelani's avatar
      Ketan Ghelani
      Former Employee
      Aug 30, 2017

      Ok.

       

      Q: What is the first let statement for ?   let arr = (search "whitelistusers_CL" | project Name_s)

      Doesn't seem to be used anywhere?

      • Vineet Bhatia's avatar
        Vineet Bhatia
        Copper Contributor
        Aug 31, 2017

        That first line was a mistake.

Resources