Forum Discussion
if statment in a KQL query?
Hello,
I was wondering if its possible to write an if statement in a kql query
for example i have a dropdownlist, and based on the value i want to execute a query
Anyone know how this is done?
- CliveWatson
Microsoft
Where is the drop down list, is it from a Workbook parameter?
There is IIF() https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/iiffunction
Yes my parameter comes from a dropdownlist, i have json values for the dropdownlist
The parameter i will use is called {Honeytoken:label}
What i want to achieve is that based on the dropdownlist value there should be another query be executed.
for example u have this query :
SecurityEvent| where Computer contains "MainPC"| where EventID == 4663I want this query to be executed in a grid form on my workbook when i choose the value file from the dropdownlist.i was thinking of putting my query in a let variable like so :let q =SecurityEvent| where Computer contains "MainPC"| where EventID == 4663;Then use another SecurityEvent with the iff() :SecurityEvent| extend test = iff({Honeytoken:label} == "File",q,"none")So if {Honeytoken:label} is equal to File run the q variable (Query) else do "none"But i get the error, 'extend' operator: Failed to resolve column or scalar expression named 'File'... Click to Retry.- CliveWatsonA parameter is text, so use " " e.g.
| extend test = iff("{Honeytoken:label}" == "File","Yes its a file","No its not")
