adding imported files with queries to workbooks

New Contributor

Trying to setup a library of stand alone queries similar to the github community repository for appInsights and then reference the actual queries in workbooks for execution.

 

Is this possible?

 

 

 

1 Reply

@jamesReilly1000 there is a way, if you are happy to hard code the names of the files?

Step 1.  Create a new Workbook, then add a PARAMETER, use the options as below (replace the file name in the query, or use mine to test):


ss_1.png

Step 2:  Create a Query that is simply the parameter name from the above, in my case it was kqlFind

 

ss_2.png

 

The result should be like this, where the kqlFind parameter finds and reads the file, trhe query then reads and executes that against which ever workspace you have selcted.
ss_3results.png
 
Example workbook file, you can copy & paste, into a NEW workbook

{
  "version": "Notebook/1.0",
  "items": [
    {
      "type": 9,
      "content": {
        "version": "KqlParameterItem/1.0",
        "parameters": [
          {
            "id": "6819d2bd-23ab-4150-ad10-3ad725b6a53a",
            "version": "KqlParameterItem/1.0",
            "name": "kqlFind",
            "type": 1,
            "query": "let KQLtorun = external_data(kqlString:string)\r\n['https://raw.githubusercontent.com/clivewatson/KQLpublic/master/Queries/usage.yaml'] with (format=\"RAW\");\r\nKQLtorun\r\n| project kqlString",
            "typeSettings": {
              "multiLineText": true,
              "editorLanguage": "kql"
            },
            "timeContext": {
              "durationMs": 86400000
            },
            "queryType": 0,
            "resourceType": "microsoft.operationalinsights/workspaces"
          }
        ],
        "style": "above",
        "queryType": 0,
        "resourceType": "microsoft.operationalinsights/workspaces"
      },
      "name": "parameters - 0"
    },
    {
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
        "query": "{kqlFind}",
        "size": 0,
        "timeContext": {
          "durationMs": 86400000
        },
        "queryType": 0,
        "resourceType": "microsoft.operationalinsights/workspaces"
      },
      "name": "query - 1"
    }
  ],
  "fromTemplateId": "sentinel-UserWorkbook",
  "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}


Personally, I'd use a Query Pack to do this, as you can also assign via RBAC, the above works for a few queries but for a scale solution I'd suggest a query pack approach https://docs.microsoft.com/en-us/azure/azure-monitor/logs/query-packs 

-----------

I don't think it's in the UI yet, but this Workbook will demo the above (the Hunting Tab within is an alternate way of doing the above, not using the query in a file, but letting you type one into the workbook) and also using a Query Pack lookup and run... 
Azure-Sentinel/SentinelCentral.json at master · Azure/Azure-Sentinel · GitHub