Forum Discussion
Marek Stelcik
Aug 22, 2023Copper Contributor
Sentinel workbook: reusing outcome in multiple charts
Hello,
I wanted to ask for your help.
i have resource intensive query to do filtering and parisng. Then I would like to do some simple visualisation.
let data= materialize (Syslog
| where TimeGenerated {TimeRange}
| where HostName has "172."
| extend Protocol = extract(@'protocol=\"?(\w+)\"?', 1, SyslogMessage),
and much more.....
Is it possible to declare this somehow as global variable for whole sentinel workbook so I can subseqently just do something simple subselects and visualise?
like chart calling data and selectign one column
then visualising another colum etc.
for example:
data
| summarize count() by Src_IP
Problem i Have if I have to duplicate the whole first query where I am materiazing "data" in each chart its extremely slow.
- rutgersmeetsBrass Contributor
Hi Marek Stelcik,
I might have some ideas that I can share. Can you provide some more details on the characteristics of your 'data' variable? How many rows and columns does it typically contain after using project or project-keep to reduce unnecessary data? A ball-park figure is fine.
Kind regards,
Rutger Smeets
- samikroyBrass ContributorThe easiest option will be to save you query as a function in Log analytics and call that function
https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/using-kql-functions-to-speed-up-analysis-in-azure-sentinel/ba-p/712381#:~:text=To%20create%20a%20KQL%20function%20for%20this%20query%2C,an%20alias%20by%20which%20we%20can%20call%20it.- Marek StelcikCopper ContributorThank you Samikroy, that looks promising on the parser. It actually works for first half pretty well. Great. Do I understand the article correctly, it also supprots input parameters from filters, but it has completely different syntax?
within the workbook it worked for me to have filters like TimePicker Time Range, or Protocol and then the query in visualisation was working with the selection well. I tried to use it in function and define it as two parameters named Protocol and TimeRange in function but it did not work with filters. Any idea?
| where TimeGenerated {TimeRange}
|where "{Protocol:label}" == "All" or Protocol in ({Protocol})- samikroyBrass ContributorYou are almost there, just need to mention the parameters while saving the function.
Here is a reference - https://www.youtube.com/watch?v=Pla4n9i6eEM
Hope this helps.