Forum Discussion

klaszlo13's avatar
klaszlo13
Copper Contributor
Oct 01, 2024

Workbook with multiple visualizations using lowest number of queries

Coming from Splunk world and didn't found answer to this in the workbook documentation.

 

Is it possible to chains searches, like in Splunk, explained here:

https://docs.splunk.com/Documentation/Splunk/9.3.1/DashStudio/dsChain

 

Trying to explain in KQL terms: suppose there are 3 very similar queries, like

  • same base search | condition 1
  • same base search | condition 2
  • same base search | condition 3

feeding 3 vizualizations.

Goal is to execute the "same base search" part only once in the workbook.

Defining a new function for "same base search" still means 3 executions, I guess.

 

Your response is appreciated.

Thank you.

Dashboards
KQL
Workbooks

1 Reply

Sort By
  • G_Wilson3468's avatar
    G_Wilson3468
    Iron Contributor
    Nov 25, 2024

    Have you tried assigning that base search to a variable and then filtering off that variable. For example,

    let base_search = 

    SomeLog

    | where Timestamp >= ago(1d)

    | project Timestamp, UserId, DeviceId, successfulLogins

     

    Then you could search against that:

     

    base_search

    | where UserId == "someone"

    | summarize totalLogins = sum(successfulLogins) by bin(Timegenerated, 1h)

     

    base_search

    | where userId == "someone_else" 

    | summarize otherLogins = sum(successfulLogins) by bin(Timegenerated, 1h)

     

    base_search 

    | where userId == "thirdUser"

    | summarize lastLogins = sum(successfulLogins) by bin(Timegenerated, 1h)

     

    Hope this helps

     

    G.

Resources