use saved function

Copper Contributor

Hello,

 

I created a new function and saved it as "Function" on the right pane of saved queries.

How can I use/call this function on new queries Im creating?

 

(the function is not listed on the "functions" list on the left pane)

 

Thanks,

 

5 Replies

Hi Tal,

A function is available almost immediately after you save it, even if it's not shown on the left pane (the left pane was probably loaded on login, and was not refreshed since you created the function).

To use a function, just refer to it by name. (you may add "()" as well, up to you). For example, I created a function that gets computers that sent a heartbeat in the last hour, and saved it as  "computers_alive_in_last_hour":

 

Heartbeat
| where TimeGenerated > ago(1h)
| summarize arg_max(TimeGenerated, *) by Computer
| project Computer

 

and I later called it to see if "zombie" computers were causing security issues:

 
SecurityEvent
| where TimeGenerated > ago(30m)
| where Computer !in (computers_alive_in_last_hour())
 
 
HTH

Thanks Noa.

I have another question following your answer.

 

Now I understand how to work with functions I created. 

But, I'm not sure I understand what 'functions' are intended for.

 

I noticed that in many of my queries I need to exclude a lot of data.(the same data..)

for example

| where Computer !contains 'a'

| where Computer !contains 'b'

etc...

 

I wanted to create a new function which holds all that exclustions and then call the function.

instead of writing in all the queries the same lines. 

(so it will look better, and writing will be faster :)).

 

I'm not sure I am writing the function right.

Is the function is the answer to my need? if yes, how should I write the function and how do I call it?

 

Thank you!

In case you have a known list of computers that you would like to exclude, you can manage this list in a function and call it in your query. For example, I save a function name: 'ExcludedComputer':
datatable (Computer:string)
["ComputerName1",
"ComputerName2",
"ComputerName2"]

Can be used like this:
SecurityEvent
| where TimeGenerated > ago(1h)
| where Computer !in (ExcludedComputer)
| summarize by Computer

You can write a query that exclude computers and save as a function. For example, I save a function name: 'MyComputers':
Heartbeat
| where Computer !contains "a"
| where Computer !contains "b"
| summarize by Computer

Can be used like this:
SecurityEvent
| where TimeGenerated > ago(1h)
| where Computer in (MyComputers)
| summarize by Computer

Thanks Yossi but its not working.

 

datatable (Computer:string)
["ComputerName1",
"ComputerName2",
"ComputerName2"]

 

It does not exclude my list..

its just ignores it

 

Tal hi,
I've validated The first example and it works for me. Is it possible that you used 'in' instead of '!in'?

Once you create a function with a list of computers to exclude, you can use that function as a filter in any query you use, for example - if Function Alias is 'ExcludedComputer' the function can be used like this:
SecurityEvent
| where TimeGenerated > ago(1h)
| where Computer !in (ExcludedComputer)
| summarize by Computer

If this won't work from any reason, please contact me at: yossiy@microsoft.com.