if statment in a KQL query?

Occasional Contributor

Hello,

 

I was wondering if its possible to write an if statement in a kql query

for example i have a dropdownlist, and based on the value i want to execute a query

 

Anyone know how this is done?

 

 

5 Replies

@FeintBE 

 

Where is the drop down list, is it from a Workbook parameter?

 

There is IIF() https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/iiffunction

 

 

 

 

@CliveWatson 

 

Yes my parameter comes from a dropdownlist, i have json values for the dropdownlist

The parameter i will use is called {Honeytoken:label}

FeintBE_0-1588920934270.png

 

What i want to achieve is that based on the dropdownlist value there should be another query be executed.

 

for example u have this query :

SecurityEvent
| where Computer contains "MainPC"
| where EventID == 4663
 
I want this query to be executed in a grid form on my workbook when i choose the value file from the dropdownlist.
 
i was thinking of putting my query in a let variable like so :
let q = 
SecurityEvent
| where Computer contains "MainPC"
| where EventID == 4663;
 
Then use another SecurityEvent with the iff() :
SecurityEvent
| extend test = iff({Honeytoken:label} == "File",q,"none")
 
So if {Honeytoken:label} is equal to File run the q variable (Query) else do "none"
 
 
But i get the error, 'extend' operator: Failed to resolve column or scalar expression named 'File'... Click to Retry.

 

 

A parameter is text, so use " " e.g.

| extend test = iff("{Honeytoken:label}" == "File","Yes its a file","No its not")

@CliveWatson 

 

| extend test = iff("{Honeytoken:label}" == "File","Yes its a file","No its not")

 

this works but instead of "yes its a file" i would rather return a query and not a string.

 

each dropdownlist value need to return a different query

@FeintBE 

 

I've done this another way.  I have a parameter called KQLquery, which has the KQL in a JSON drop-down. 

kqlQuery.jpg

 

Then all you need to do is "Add a query" and use the parameter name {KQLquery} in this case.

query.jpg