Forum Discussion
Azure Sentinel's "Function" help
- Mar 03, 2022
Steven_Su OK, now I got it. Sorry for being so obtuse about this one. You are right, you cannot save a function that calls a table (seems to be a bit of an oversight if you ask me). I would suggest following the ASIM model and just create a different function for each table that you need to be normalized for Function 1.
If you look at the listing of functions that are available to you, there are a lot that start with _ASim. Those are the ones that MS created to perform normalization for different tables.
Steven_Su If I understand what you need, the first function needs to return a normalized table and then the second function needs to act upon that table. So something like:
let normalizedTable = Function1();
let response = Function2(normalizedTable);
response
If that is the case then Function2 would need to be able to accept the table that you want to perform the summarize on. You cannot just start a function with "| summarize". It can return its own table and then you can just display that table.
- JonhedMar 01, 2022Steel Contributor
GaryBushey
Is it possible to pass a tabular argument to a stored function though?I know it is possible with ad-hoc functions defined within the query itself, but I have yet to find a way to do this with stored functions.
At least when you use the Azure Portal GUI, it does not appear to be possible to define a parameter of the tabular type, only regular types such as string, long, dynamic etc.
- GaryBusheyMar 02, 2022Bronze Contributor
Jonhed If you look at the Examples section in the URL you listed, it shows how to pass in a table to a function:
let MyFilter = (T:(x:long), v:long) { T | where x >= v }; MyFilter((range x from 1 to 10 step 1), 9)
BTW, the range command returns a table.
- JonhedMar 03, 2022Steel Contributor
Yes, as I said I know you can do it in ad-hoc functions, where the function is defined within the same query that calls the function. (This is what the example shows)
But what Steven_Su is saying is that he wants to "save Function1 and Function2 as functions under "Workspace functions", meaning you need do it as a stored function.
When you save a function, you need to specify the parameters in the dialog, as you can see in the screenshot below, but there is no option to accept a table as a parameter in this case.
There is no mention of how to accept a table in stored functions in the official documents,
and I have seen other members asking about it, so I am not sure if it is doable in the way Steven_Su imagines it.