Forum Discussion

Tal Feinberg's avatar
Tal Feinberg
Copper Contributor
Dec 25, 2017

use saved function

Hello,   I created a new function and saved it as "Function" on the right pane of saved queries. How can I use/call this function on new queries Im creating?   (the function is not listed o...
Azure Log Analytics
azure monitor
Noa Kuperberg's avatar
Noa Kuperberg
Icon for Microsoft rankMicrosoft
Dec 26, 2017

Hi Tal,

A function is available almost immediately after you save it, even if it's not shown on the left pane (the left pane was probably loaded on login, and was not refreshed since you created the function).

To use a function, just refer to it by name. (you may add "()" as well, up to you). For example, I created a function that gets computers that sent a heartbeat in the last hour, and saved it as  "computers_alive_in_last_hour":

 

Heartbeat
| where TimeGenerated > ago(1h)
| summarize arg_max(TimeGenerated, *) by Computer
| project Computer

 

and I later called it to see if "zombie" computers were causing security issues:

 
SecurityEvent
| where TimeGenerated > ago(30m)
| where Computer !in (computers_alive_in_last_hour())
 
 
HTH
  • Tal Feinberg's avatar
    Tal Feinberg
    Copper Contributor
    Jan 01, 2018

    Thanks Noa.

    I have another question following your answer.

     

    Now I understand how to work with functions I created. 

    But, I'm not sure I understand what 'functions' are intended for.

     

    I noticed that in many of my queries I need to exclude a lot of data.(the same data..)

    for example

    | where Computer !contains 'a'

    | where Computer !contains 'b'

    etc...

     

    I wanted to create a new function which holds all that exclustions and then call the function.

    instead of writing in all the queries the same lines. 

    (so it will look better, and writing will be faster :)).

     

    I'm not sure I am writing the function right.

    Is the function is the answer to my need? if yes, how should I write the function and how do I call it?

     

    Thank you!

    • YossiY's avatar
      YossiY
      Icon for Microsoft rankMicrosoft
      Jan 02, 2018
      In case you have a known list of computers that you would like to exclude, you can manage this list in a function and call it in your query. For example, I save a function name: 'ExcludedComputer':
      datatable (Computer:string)
      ["ComputerName1",
      "ComputerName2",
      "ComputerName2"]

      Can be used like this:
      SecurityEvent
      | where TimeGenerated > ago(1h)
      | where Computer !in (ExcludedComputer)
      | summarize by Computer

      You can write a query that exclude computers and save as a function. For example, I save a function name: 'MyComputers':
      Heartbeat
      | where Computer !contains "a"
      | where Computer !contains "b"
      | summarize by Computer

      Can be used like this:
      SecurityEvent
      | where TimeGenerated > ago(1h)
      | where Computer in (MyComputers)
      | summarize by Computer

      • Tal Feinberg's avatar
        Tal Feinberg
        Copper Contributor
        Jan 03, 2018

        Thanks Yossi but its not working.

         

        datatable (Computer:string)
        ["ComputerName1",
        "ComputerName2",
        "ComputerName2"]

         

        It does not exclude my list..

        its just ignores it