Saving results of a query to be used by other queries

%3CLINGO-SUB%20id%3D%22lingo-sub-2487180%22%20slang%3D%22en-US%22%3ESaving%20results%20of%20a%20query%20to%20be%20used%20by%20other%20queries%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2487180%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%20I%20am%20new%20to%20KQL%20and%20trying%20to%20explore%20the%20possibility%20of%20being%20able%20to%20save%20the%20results%20of%20a%20query%20in%20Azure%20Log%20Analytics%20.%20A%20scheduling%20will%20be%20done%20on%20this%20query%20to%20be%20run%20once%20a%20day%20to%20update%20the%20results%20and%20hence%20update%20the%20saved%20data.%3C%2FP%3E%3CP%3EThe%20results%20saved%20from%20the%20above%20query%20will%20be%20used%20by%20other%20queries%20that%20will%20do%20a%20lookup%20into%20this%20saved%20table%20to%20suss%20out%20important%20details%20when%20returning%20results.%20So%20for%20example.%3C%2FP%3E%3CP%3EI%20have%20Query%20A%20that%20returns%20column%20A%20%2C%20Column%20B%20%2C%20Column%20C%26nbsp%3B%20that%20gets%20saved%20in%20Table%20A.%3C%2FP%3E%3CP%3EThis%20Query%20A%20is%20run%20say%20every%20day%20so%20that%20Table%20A%20is%20always%20refreshed%20with%20latest%20and%20greatest%20data.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%20I%20have%20Query%20B%20that%20has%20access%20to%20the%20values%20in%20Column%20A%20of%20Table%20A%20.%20It%20uses%20this%20value%20of%20ColumnA%20to%20query%20Table%20A%20to%20retrieve%20data%20for%20Column%20B%20%2C%20Column%20C%20and%20enrich%20the%20results%20that%20are%20returned%20.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESince%20Query%20B%20is%20run%20very%20frequenty%20I%20don't%20really%20want%20to%20do%20the%20full%20query%20A%20(%20which%20is%20fairly%20static)%20since%20it%20will%20become%20overly%20inefficient.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20this%20something%20that%20is%20possible%20with%20KQL%20and%20Log%20Analytics%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2487312%22%20slang%3D%22en-US%22%3ERe%3A%20Saving%20results%20of%20a%20query%20to%20be%20used%20by%20other%20queries%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2487312%22%20slang%3D%22en-US%22%3EYou%20could%20potentially%20look%20at%20Azure%20Automation%20and%20a%20PowerShell%20runbook%20to%20trigger%20the%20query%2C%20based%20on%20your%20schedule..%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2492337%22%20slang%3D%22en-US%22%3ERe%3A%20Saving%20results%20of%20a%20query%20to%20be%20used%20by%20other%20queries%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2492337%22%20slang%3D%22en-US%22%3EAs%20Luke%20says%2C%20Log%20Analytics%20queries%20cant%20create%20a%20Table%2C%20so%20you%20can%20use%20his%20idea%20or%20look%20at%20a%20Logic%20App%20on%20a%20recurrence%20trigger%20to%20fire%20the%20query%20at%20a%20specific%20time%20of%20day%2C%20the%20logic%20app%20can%20then%20run%20the%20KQL%20query%20to%20populate%20a%20custom%20log%20table%20%3CTABLE%20name_cl%3D%22%22%3E.%20You%20can%20then%20%22join%22%20your%20other%20query%20to%20that%20table%20with%20your%20aggregated%20results.%20This%20example%20sends%20an%20email%2C%20%3CA%20href%3D%22https%3A%2F%2Fcloudblogs.microsoft.com%2Findustry-blog%2Fen-gb%2Fcross-industry%2F2020%2F06%2F17%2Flog-analytics-or-azure-sentinel-how-schedule-a-report%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fcloudblogs.microsoft.com%2Findustry-blog%2Fen-gb%2Fcross-industry%2F2020%2F06%2F17%2Flog-analytics-or-azure-sentinel-how-schedule-a-report%2F%3C%2FA%3E%20but%20you%20can%20use%20another%20control%20%22send%20data%22%20to%20populate%20a%20Table%20(custom%20logs%20are%20billable%20data%20sources)%3CBR%20%2F%3E%3CBR%20%2F%3EExample%20%22join%22%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fazure%2Fdata-explorer%2Fkusto%2Fquery%2Fjoinoperator%3Fpivots%3Dazuremonitor%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fazure%2Fdata-explorer%2Fkusto%2Fquery%2Fjoinoperator%3Fpivots%3Dazuremonitor%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EServiceMapProcess_CL%3CBR%20%2F%3E%7C%20project%20Computer%20%2F%2F%20computer%3CBR%20%2F%3E%7C%20join%20%3CBR%20%2F%3E%20(%3CBR%20%2F%3E%20Heartbeat%20%3CBR%20%2F%3E%20%7C%20distinct%20Computer%20%2F%2F%20computer%201%3CBR%20%2F%3E%20)%20on%20Computer%20%3CBR%20%2F%3E%7C%20project%20customComputerName%20%3D%20Computer%2C%20HeartBeatComputerName%20%3D%20Computer1%20%3CBR%20%2F%3E%3C%2FTABLE%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi,

  I am new to KQL and trying to explore the possibility of being able to save the results of a query in Azure Log Analytics . A scheduling will be done on this query to be run once a day to update the results and hence update the saved data.

The results saved from the above query will be used by other queries that will do a lookup into this saved table to suss out important details when returning results. So for example.

I have Query A that returns column A , Column B , Column C  that gets saved in Table A.

This Query A is run say every day so that Table A is always refreshed with latest and greatest data.

 

Now I have Query B that has access to the values in Column A of Table A . It uses this value of ColumnA to query Table A to retrieve data for Column B , Column C and enrich the results that are returned .

 

Since Query B is run very frequenty I don't really want to do the full query A ( which is fairly static) since it will become overly inefficient.

 

Is this something that is possible with KQL and Log Analytics ?

 

Thanks

 

 

 

4 Replies
You could potentially look at Azure Automation and a PowerShell runbook to trigger the query, based on your schedule..
As Luke says, Log Analytics queries cant create a Table, so you can use his idea or look at a Logic App on a recurrence trigger to fire the query at a specific time of day, the logic app can then run the KQL query to populate a custom log table <table name_CL>. You can then "join" your other query to that table with your aggregated results. This example sends an email, https://cloudblogs.microsoft.com/industry-blog/en-gb/cross-industry/2020/06/17/log-analytics-or-azur... but you can use another control "send data" to populate a Table (custom logs are billable data sources)

Example "join" https://docs.microsoft.com/en-gb/azure/data-explorer/kusto/query/joinoperator?pivots=azuremonitor

ServiceMapProcess_CL
| project Computer // computer
| join
(
Heartbeat
| distinct Computer // computer 1
) on Computer
| project customComputerName = Computer, HeartBeatComputerName = Computer1

Hey .. thanks for the reply. I am currently stuck up at creation of step 2 'Run Query and visualize results'. It keeps giving the attached error when I try to sign in. It seems issue with 3rd party cookies that are disabled and I don't have admin control on my browser to change that. Is there a way to get around that ?

 

Also is there any other way of achieving the above results . We do have all the static data already saved in our azure table storage  so instead of getting the details from the logs we can as well query our table storage to get the static data. Is there a way of doing that in Azure analytics ?

 

ThanksScreenshot_browser_closed_error.png