cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to execute a returned KQL query

dimmi
Copper Contributor

‎Mar 20 2020 04:55 AM - last edited on ‎Apr 08 2022 10:20 AM by

‎Mar 20 2020 04:55 AM - last edited on ‎Apr 08 2022 10:20 AM by

How to execute a returned KQL query

Hi,

 

Quick visualisation of one data record:

 

ID1001
DescriptionSample Query
Query{some KQL query}

 

I would like to get the query and execute it all within a KQL statement, something like this:

 

SampleTable

| where ID == '1001'

| extend results = run_query(Query)

| extend results_parsed = parse_json(results)

| {count number of results, get the description of first 10 and add to query output}

 

Thanks!

dimmi

3,221 Views
1 Like
3 Replies
Reply
3 Replies
GraceAA

‎Apr 09 2021 06:51 AM

‎Apr 09 2021 06:51 AM

Re: How to execute a returned KQL query

hello Dimmi, were you able to find a way. I am trying to do the same.
0 Likes
Reply
AbdallaElzedy

‎Sep 30 2022 12:48 PM

‎Sep 30 2022 12:48 PM

Re: How to execute a returned KQL query

If you are referring to a compressed query in the results, there is some sort of workaround, you can extract the compressed text and decompress it in an extended field

For example in the Azure Security Alert Table
Table
| project CompressedQuery = tostring(parse_json(ExtendedProperties).Query)
| extend Compressed = extract(@"\['([^;]+)']",1,CompressedQuery)
|extend raw = todynamic(zlib_decompress_from_base64_string(Compressed))

I hope that helps

0 Likes
Reply