cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Is it possible to "pipe" the output of one query to another?

TheGreenGorilla
New Contributor

‎Oct 21 2019 06:33 AM - last edited on ‎Apr 08 2022 10:10 AM by

‎Oct 21 2019 06:33 AM - last edited on ‎Apr 08 2022 10:10 AM by

Is it possible to "pipe" the output of one query to another?

Hi,

Firstly excuse me if this is a silly question, I am new to Kusto and query languages in general.

Is it possible to "pipe" the results of one query and use it to query on with another?

What are trying to do is get the output from the Auditlogs and use an attribute from that to then feed in to a query on the SigninLogs;

 

 

let AddMember = (
AuditLogs
| where TimeGenerated > ago(2h)
| where OperationName == "Add member to group" and TargetResources contains "Our Group"
| project TimeGenerated, OperationName, UserName=TargetResources[0].userPrincipalName, GroupName=TargetResources[0].modifiedProperties[1].newValue
);
let AppSignIn = (
SigninLogs
| where TimeGenerated > ago(2h)
| where AppDisplayName == "Our App"
| where Status.errorCode == "0"
| project TimeGenerated, OperationName, UserName=UserPrincipalName, AppDisplayName
);
AddMember

| union AppSignIn
| sort by TimeGenerated asc

 


I am not familiar with all the operators but I understand that the Union operator creates a single table from both outputs... not quite what I am after because I'd like to use the output from one to feed in to the other. 

Hopefully I have made sense and thanks.

8,518 Views
0 Likes
4 Replies
Reply
4 Replies
CliveWatson

‎Oct 22 2019 03:29 AM

‎Oct 22 2019 03:29 AM

Re: Is it possible to "pipe" the output of one query to another?

@TheGreenGorilla 

 

Are you looking for a join? Something like this?

 

let AddMember = (
AuditLogs
| where TimeGenerated > ago(24h)
| where OperationName == "Add member to group" and TargetResources contains "Our Group"
| project TimeGenerated, OperationName, UserName=TargetResources[0].userPrincipalName, GroupName=TargetResources[0].modifiedProperties[1].newValue, ResourceId
);
SigninLogs
| where TimeGenerated > ago(2h)
| where AppDisplayName == "Our App"
| where Status.errorCode == "0"
| project TimeGenerated, OperationName, UserName=UserPrincipalName, AppDisplayName, ResourceId
| join (
        AddMember
 ) on ResourceId 
 | project AppDisplayName , OperationName

   

0 Likes
Reply
TheGreenGorilla

‎Oct 23 2019 02:37 AM

‎Oct 23 2019 02:37 AM

Re: Is it possible to "pipe" the output of one query to another?

Thanks for your reply @CliveWatson

 I have tried the Join operator, but doesnt that just join the columns from the  2 outputs?

 

I'd like the output from the AuditLogs to be the source/input in to the SignIn logs query. A bit like how you would pipe resultant objects from one PowerShell command to the next.

 

I guess I would somehow need to create a temporary table from the AuditLogs and use that as a source for the next query... I am new to Kusto (and query languages) so I may be a tough student.

0 Likes
Reply
best response confirmed by TheGreenGorilla (New Contributor)
CliveWatson

‎Oct 23 2019 03:50 AM

‎Oct 23 2019 03:50 AM

Solution

Re: Is it possible to "pipe" the output of one query to another?

@TheGreenGorilla 

 

More like this?

let AddMember = (
AuditLogs
| where TimeGenerated > ago(2h)
| where OperationName == "Add member to group" and TargetResources contains "Our Group"
| project TimeGenerated, OperationName, UserName=TargetResources[0].userPrincipalName, GroupName=TargetResources[0].modifiedProperties[1].newValue, ResourceId
);
SigninLogs
| where TimeGenerated > ago(2h)
| where AppDisplayName == "Our App"
| where Status.errorCode == "0"
| where UserPrincipalName in (AddMember)
| project TimeGenerated, OperationName, UserName=UserPrincipalName, AppDisplayName, ResourceId

 

 

Or see my working example (using demo data), please click

 

Go to Log Analytics and Run Query

 

Get all computers that startswith a name of "Contoso" from the Heartbeat table and then only show Events for those?  You can use !in for the reverse i.e. "not in"

 

let computerList = (
Heartbeat
| where TimeGenerated > ago(24d)
| where Computer startswith "Contoso"
| distinct Computer
| project Computer
);
Event
| where TimeGenerated > ago(24d)
| where Computer in (computerList)

 

1 Like
Reply
TheGreenGorilla

‎Oct 24 2019 08:08 AM

‎Oct 24 2019 08:08 AM

Re: Is it possible to "pipe" the output of one query to another?

@CliveWatson 

Yes! The IN operator has done the trick and have added to my vocabulary. I had to make a small adjustment to the first Project operator to produce the results 

 

 

let AddMember = (
AuditLogs
| where TimeGenerated > ago(2h)
| where OperationName == "Add member to group" and TargetResources contains "Our Group"
| project UserName=TargetResources[0].userPrincipalName
);
SigninLogs
| where TimeGenerated > ago(2h)
| where AppDisplayName == "Our App"
| where Status.errorCode == "0"
| where UserPrincipalName in (AddMember)
| project TimeGenerated, OperationName, UserName=UserPrincipalName, AppDisplayName, ResourceId

 

 Thanks for taking the time to offer a solution.

 

1 Like
Reply