Aug 14 2020 04:08 AM
I'm looking to leverage common functions across a number of queries so we can update in one place rather than in every analytic.
First question, would it be possible to have a function that just defines a dynamic variable that can be used in other analytics. E.g. a function that defines a list and saved as lb_primaries.
let lb_primaries = dynamic(["127.0.0.1", "127.0.0.2", "127.0.0.3"]);
This way we could reference lb_primaries in a number of analytics, but only update in a single place?
The second question, using an example of a basic lookup (I'm aware of externaldata) where we can return a true or false based on the input. E.g. is_primary_fn
let is_primary = (ip:string) {
iif(dynamic([
"127.0.0.1",
"127.0.0.2",
"127.0.0.3"
]) contains ip, true, false)
};
Then using that with a query like:
NetworkData
| where is_primary_fn(IPAddress)
Which in this example fails with "Body of the callable expression cannot be empty". I've tried a few different way to get this working but so far not having any luck 😞
Aug 14 2020 02:14 PM
Aug 18 2020 07:24 AM
i have same issue.
Aug 18 2020 07:40 AM
@pemontto the below query works without any issue for me.
let NetworkData = datatable (Address:string )
[
"127.0.0.1"
];
let is_primary = (ip:string) {
iif(dynamic([
"127.0.0.1",
"127.0.0.2",
"127.0.0.3"
]) contains ip, true, false)
};
NetworkData
| where is_primary(Address) == "true"
Aug 18 2020 07:43 AM
Did you try saving the function under KQL queries, then invoking it remotely from a KQL editor window ?
In my case, if all code is together, like in the snippet you shared, it works. IF i save the func and invoke it, it won't work.
Aug 18 2020 07:53 AM
Aug 18 2020 10:05 AM - edited Aug 18 2020 10:07 AM
Aug 18 2020 12:13 PM