Dec 25 2017
05:32 AM
- last edited on
Apr 07 2022
04:50 PM
by
TechCommunityAP
Dec 25 2017
05:32 AM
- last edited on
Apr 07 2022
04:50 PM
by
TechCommunityAP
Hello,
I created a new function and saved it as "Function" on the right pane of saved queries.
How can I use/call this function on new queries Im creating?
(the function is not listed on the "functions" list on the left pane)
Thanks,
Dec 26 2017 11:25 AM
Hi Tal,
A function is available almost immediately after you save it, even if it's not shown on the left pane (the left pane was probably loaded on login, and was not refreshed since you created the function).
To use a function, just refer to it by name. (you may add "()" as well, up to you). For example, I created a function that gets computers that sent a heartbeat in the last hour, and saved it as "computers_alive_in_last_hour":
Heartbeat | where TimeGenerated > ago(1h) | summarize arg_max(TimeGenerated, *) by Computer | project Computer
and I later called it to see if "zombie" computers were causing security issues:
SecurityEvent | where TimeGenerated > ago(30m) | where Computer !in (computers_alive_in_last_hour())
Jan 01 2018 10:24 PM
Thanks Noa.
I have another question following your answer.
Now I understand how to work with functions I created.
But, I'm not sure I understand what 'functions' are intended for.
I noticed that in many of my queries I need to exclude a lot of data.(the same data..)
for example
| where Computer !contains 'a'
| where Computer !contains 'b'
etc...
I wanted to create a new function which holds all that exclustions and then call the function.
instead of writing in all the queries the same lines.
(so it will look better, and writing will be faster :)).
I'm not sure I am writing the function right.
Is the function is the answer to my need? if yes, how should I write the function and how do I call it?
Thank you!
Jan 02 2018 04:37 AM
Jan 03 2018 04:03 AM
Thanks Yossi but its not working.
datatable (Computer:string)
["ComputerName1",
"ComputerName2",
"ComputerName2"]
It does not exclude my list..
its just ignores it
Jan 03 2018 08:23 AM