cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

adding imported files with queries to workbooks

jamesReilly1000
Copper Contributor

‎Jan 01 2022 06:20 PM - last edited on ‎Apr 08 2022 10:58 AM by

‎Jan 01 2022 06:20 PM - last edited on ‎Apr 08 2022 10:58 AM by

adding imported files with queries to workbooks

Trying to setup a library of stand alone queries similar to the github community repository for appInsights and then reference the actual queries in workbooks for execution.

 

Is this possible?

 

 

 

Labels:
725 Views
0 Likes
1 Reply
Reply
1 Reply
Clive_Watson

‎Jan 05 2022 02:15 AM

‎Jan 05 2022 02:15 AM

Re: adding imported files with queries to workbooks

@jamesReilly1000 there is a way, if you are happy to hard code the names of the files?

Step 1.  Create a new Workbook, then add a PARAMETER, use the options as below (replace the file name in the query, or use mine to test):


ss_1.png

Step 2:  Create a Query that is simply the parameter name from the above, in my case it was kqlFind

 

ss_2.png

 

The result should be like this, where the kqlFind parameter finds and reads the file, trhe query then reads and executes that against which ever workspace you have selcted.
ss_3results.png
 
Example workbook file, you can copy & paste, into a NEW workbook

{
  "version": "Notebook/1.0",
  "items": [
    {
      "type": 9,
      "content": {
        "version": "KqlParameterItem/1.0",
        "parameters": [
          {
            "id": "6819d2bd-23ab-4150-ad10-3ad725b6a53a",
            "version": "KqlParameterItem/1.0",
            "name": "kqlFind",
            "type": 1,
            "query": "let KQLtorun = external_data(kqlString:string)\r\n['https://raw.githubusercontent.com/clivewatson/KQLpublic/master/Queries/usage.yaml'] with (format=\"RAW\");\r\nKQLtorun\r\n| project kqlString",
            "typeSettings": {
              "multiLineText": true,
              "editorLanguage": "kql"
            },
            "timeContext": {
              "durationMs": 86400000
            },
            "queryType": 0,
            "resourceType": "microsoft.operationalinsights/workspaces"
          }
        ],
        "style": "above",
        "queryType": 0,
        "resourceType": "microsoft.operationalinsights/workspaces"
      },
      "name": "parameters - 0"
    },
    {
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
        "query": "{kqlFind}",
        "size": 0,
        "timeContext": {
          "durationMs": 86400000
        },
        "queryType": 0,
        "resourceType": "microsoft.operationalinsights/workspaces"
      },
      "name": "query - 1"
    }
  ],
  "fromTemplateId": "sentinel-UserWorkbook",
  "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}


Personally, I'd use a Query Pack to do this, as you can also assign via RBAC, the above works for a few queries but for a scale solution I'd suggest a query pack approach https://docs.microsoft.com/en-us/azure/azure-monitor/logs/query-packs 

-----------

I don't think it's in the UI yet, but this Workbook will demo the above (the Hunting Tab within is an alternate way of doing the above, not using the query in a file, but letting you type one into the workbook) and also using a Query Pack lookup and run... 
Azure-Sentinel/SentinelCentral.json at master · Azure/Azure-Sentinel · GitHub

0 Likes
Reply