Forum Discussion
Azure Sentinel's "Function" help
- Mar 03, 2022
Steven_Su OK, now I got it. Sorry for being so obtuse about this one. You are right, you cannot save a function that calls a table (seems to be a bit of an oversight if you ask me). I would suggest following the ASIM model and just create a different function for each table that you need to be normalized for Function 1.
If you look at the listing of functions that are available to you, there are a lot that start with _ASim. Those are the ones that MS created to perform normalization for different tables.
Hi Gary,
Thank you very much for your response. I guest maybe I am not explaining the issue clearly.
We want to have 2 separate functions so that we could invoke them in other KQL queries (different AWS use cases) like
Function1
Function2
|summarize ... by ...
The Function 1 doing the data normalization is the same for all the queries while Function 2 is the exclusion and is different case by case. That's why we need to create dedicated function for it. So it seems your suggestion may not suit the requirement.
Steven_Su If I understand what you need, the first function needs to return a normalized table and then the second function needs to act upon that table. So something like:
let normalizedTable = Function1();
let response = Function2(normalizedTable);
response
If that is the case then Function2 would need to be able to accept the table that you want to perform the summarize on. You cannot just start a function with "| summarize". It can return its own table and then you can just display that table.
- Steven_SuMar 01, 2022Copper ContributorGaryBushey Understood, the answer becomes more clear now. May I further know what would be the structure of the Function2? Because I will also save Function1 and Function2 as functions under "Workspace functions". Could you provide me some ideas how to write the Function2? Thanks!
- JonhedMar 01, 2022Steel Contributor
GaryBushey
Is it possible to pass a tabular argument to a stored function though?I know it is possible with ad-hoc functions defined within the query itself, but I have yet to find a way to do this with stored functions.
At least when you use the Azure Portal GUI, it does not appear to be possible to define a parameter of the tabular type, only regular types such as string, long, dynamic etc.
- GaryBusheyMar 02, 2022Bronze Contributor
Jonhed If you look at the Examples section in the URL you listed, it shows how to pass in a table to a function:
let MyFilter = (T:(x:long), v:long) { T | where x >= v }; MyFilter((range x from 1 to 10 step 1), 9)
BTW, the range command returns a table.