Forum Discussion
Marek Stelcik
Aug 22, 2023Copper Contributor
Sentinel workbook: reusing outcome in multiple charts
Hello, I wanted to ask for your help. i have resource intensive query to do filtering and parisng. Then I would like to do some simple visualisation. let data= materialize (Syslog | where Tim...
samikroy
Aug 26, 2023Brass Contributor
The easiest option will be to save you query as a function in Log analytics and call that function
https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/using-kql-functions-to-speed-up-analysis-in-azure-sentinel/ba-p/712381#:~:text=To%20create%20a%20KQL%20function%20for%20this%20query%2C,an%20alias%20by%20which%20we%20can%20call%20it.
https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/using-kql-functions-to-speed-up-analysis-in-azure-sentinel/ba-p/712381#:~:text=To%20create%20a%20KQL%20function%20for%20this%20query%2C,an%20alias%20by%20which%20we%20can%20call%20it.
Marek Stelcik
Aug 26, 2023Copper Contributor
Thank you Samikroy, that looks promising on the parser. It actually works for first half pretty well. Great. Do I understand the article correctly, it also supprots input parameters from filters, but it has completely different syntax?
within the workbook it worked for me to have filters like TimePicker Time Range, or Protocol and then the query in visualisation was working with the selection well. I tried to use it in function and define it as two parameters named Protocol and TimeRange in function but it did not work with filters. Any idea?
| where TimeGenerated {TimeRange}
|where "{Protocol:label}" == "All" or Protocol in ({Protocol})
within the workbook it worked for me to have filters like TimePicker Time Range, or Protocol and then the query in visualisation was working with the selection well. I tried to use it in function and define it as two parameters named Protocol and TimeRange in function but it did not work with filters. Any idea?
| where TimeGenerated {TimeRange}
|where "{Protocol:label}" == "All" or Protocol in ({Protocol})
- samikroySep 11, 2023Brass ContributorYou are almost there, just need to mention the parameters while saving the function.
Here is a reference - https://www.youtube.com/watch?v=Pla4n9i6eEM
Hope this helps.- Clive_WatsonSep 11, 2023Bronze Contributor
In a Workbook you also have the option to "duplicate" a Table (this more useful if you only need to adjust a small part of the data / format it)
New Query --> DataSource: MERGE --> "Duplicate Table" --> <select you Results>