Forum Discussion
Solved
Watchlist file name as a function parameter
Hi, I am writing a main function that calls out sub functions as per IoC's stored in the watchlist. Currently I have the watchlist file name in every sub-functions and was hoping if I can avoid thes...
So for example, I have a Watchlist with 7 rows of IP Addresses. I use materialize to cache the data with a let() to the name wList
let wList = materialize ( _GetWatchlist('ipa') ); union ( wList | where SearchKey !startswith "188" | count ), ( wList | where SearchKey startswith "188" | count )As you can see (in this very brief example) I call wList twice but ask for different data each time
Materialize could help here https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/materializefunction but I've not tried it in a function like you describe.
This example is close to what you ask:
To use the let statement with a value that you use more than once, use the materialize() function. Try to push all possible operators that will reduce the materialized data set and still keep the semantics of the query. For example, use filters, or project only required columns.
Kusto
let materializedData = materialize(Table
| where Timestamp > ago(1d));
union (materializedData
| where Text !has "somestring"
| summarize dcount(Resource1)), (materializedData
| where Text !has "somestring"
| summarize dcount(Resource2))
This example is close to what you ask:
To use the let statement with a value that you use more than once, use the materialize() function. Try to push all possible operators that will reduce the materialized data set and still keep the semantics of the query. For example, use filters, or project only required columns.
Kusto
let materializedData = materialize(Table
| where Timestamp > ago(1d));
union (materializedData
| where Text !has "somestring"
| summarize dcount(Resource1)), (materializedData
| where Text !has "somestring"
| summarize dcount(Resource2))
Would you be able to elaborate how i can use materialize for this use case ?
I am trying to understand even for making use of materialise, how can I call the watchlist file name made use in the main function.
I am trying to understand even for making use of materialise, how can I call the watchlist file name made use in the main function.
So for example, I have a Watchlist with 7 rows of IP Addresses. I use materialize to cache the data with a let() to the name wList
let wList = materialize ( _GetWatchlist('ipa') ); union ( wList | where SearchKey !startswith "188" | count ), ( wList | where SearchKey startswith "188" | count )As you can see (in this very brief example) I call wList twice but ask for different data each time
- thank you