if statment in a KQL query?

Occasional Contributor



I was wondering if its possible to write an if statement in a kql query

for example i have a dropdownlist, and based on the value i want to execute a query


Anyone know how this is done?



5 Replies



Where is the drop down list, is it from a Workbook parameter?


There is IIF() https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/iiffunction







Yes my parameter comes from a dropdownlist, i have json values for the dropdownlist

The parameter i will use is called {Honeytoken:label}



What i want to achieve is that based on the dropdownlist value there should be another query be executed.


for example u have this query :

| where Computer contains "MainPC"
| where EventID == 4663
I want this query to be executed in a grid form on my workbook when i choose the value file from the dropdownlist.
i was thinking of putting my query in a let variable like so :
let q = 
| where Computer contains "MainPC"
| where EventID == 4663;
Then use another SecurityEvent with the iff() :
| extend test = iff({Honeytoken:label} == "File",q,"none")
So if {Honeytoken:label} is equal to File run the q variable (Query) else do "none"
But i get the error, 'extend' operator: Failed to resolve column or scalar expression named 'File'... Click to Retry.



A parameter is text, so use " " e.g.

| extend test = iff("{Honeytoken:label}" == "File","Yes its a file","No its not")



| extend test = iff("{Honeytoken:label}" == "File","Yes its a file","No its not")


this works but instead of "yes its a file" i would rather return a query and not a string.


each dropdownlist value need to return a different query



I've done this another way.  I have a parameter called KQLquery, which has the KQL in a JSON drop-down. 



Then all you need to do is "Add a query" and use the parameter name {KQLquery} in this case.