Forum Discussion

Vineet Bhatia's avatar
Vineet Bhatia
Copper Contributor
Aug 28, 2017

Log analytics - Look up external source of data

We have a requirement where we should be able to lookup data from an external text file and use it in our filter conditions in the queries.   Since we did not see an option to do a lookup, we decid...
Azure Log Analytics
azure monitor
Ketan Ghelani's avatar
Ketan Ghelani
Former Employee
Aug 29, 2017

For your query specifically it seems like this should work, assuming you have ingested using Custom Logs functioanlity data from Custom Logs into the table User4_CL.

//Assuming your table User4_CL has username as a column - or substitute with appropriate colum.

let users=Users4_CL | summarize makeset(username);

SecurityEvent| where SubjectUserName in (users) | project RawData)

Vineet Bhatia's avatar
Vineet Bhatia
Copper Contributor
Aug 30, 2017

Thanks Ketan, i was able to make it work, my query was slightly different.

 

let arr = (search "whitelistusers_CL"  | project Name_s );


let foo = (tableName:string) {     table(tableName) | project Name_s }; 

let b = foo('whitelistusers_CL');

 

SecurityEvent
| where SubjectUserName in (b)

  • Ketan Ghelani's avatar
    Ketan Ghelani
    Former Employee
    Aug 30, 2017

    Ok.

     

    Q: What is the first let statement for ?   let arr = (search "whitelistusers_CL" | project Name_s)

    Doesn't seem to be used anywhere?

    • Vineet Bhatia's avatar
      Vineet Bhatia
      Copper Contributor
      Aug 31, 2017

      That first line was a mistake.

      • gagan2509rajpal's avatar
        gagan2509rajpal
        Copper Contributor
        Aug 12, 2019

        Vineet Bhatia  I also have the same requirement. We have to lookup the data into a .csv file and use the corresponding data in a query. Instead of using Virtual machine, I want to use storage account. Any suggestions would be appreciated.

         

        Thanks!!

Resources