Forum Discussion
use saved function
Thanks Noa.
I have another question following your answer.
Now I understand how to work with functions I created.
But, I'm not sure I understand what 'functions' are intended for.
I noticed that in many of my queries I need to exclude a lot of data.(the same data..)
for example
| where Computer !contains 'a'
| where Computer !contains 'b'
etc...
I wanted to create a new function which holds all that exclustions and then call the function.
instead of writing in all the queries the same lines.
(so it will look better, and writing will be faster :)).
I'm not sure I am writing the function right.
Is the function is the answer to my need? if yes, how should I write the function and how do I call it?
Thank you!
Microsoftdatatable (Computer:string)
["ComputerName1",
"ComputerName2",
"ComputerName2"]
Can be used like this:
SecurityEvent
| where TimeGenerated > ago(1h)
| where Computer !in (ExcludedComputer)
| summarize by Computer
You can write a query that exclude computers and save as a function. For example, I save a function name: 'MyComputers':
Heartbeat
| where Computer !contains "a"
| where Computer !contains "b"
| summarize by Computer
Can be used like this:
SecurityEvent
| where TimeGenerated > ago(1h)
| where Computer in (MyComputers)
| summarize by Computer
Thanks Yossi but its not working.
datatable (Computer:string)
["ComputerName1",
"ComputerName2",
"ComputerName2"]It does not exclude my list..
its just ignores it
- YossiYTal hi,
I've validated The first example and it works for me. Is it possible that you used 'in' instead of '!in'?
Once you create a function with a list of computers to exclude, you can use that function as a filter in any query you use, for example - if Function Alias is 'ExcludedComputer' the function can be used like this:
SecurityEvent
| where TimeGenerated > ago(1h)
| where Computer !in (ExcludedComputer)
| summarize by Computer
If this won't work from any reason, please contact me at: yossiy@microsoft.com.