Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Kusto user-defined function for common actions

Brass Contributor

I'm looking to leverage common functions across a number of queries so we can update in one place rather than in every analytic.

 

First question, would it be possible to have a function that just defines a dynamic variable that can be used in other analytics. E.g. a function that defines a list and saved as lb_primaries.

let lb_primaries = dynamic(["127.0.0.1", "127.0.0.2", "127.0.0.3"]);

This way we could reference lb_primaries in a number of analytics, but only update in a single place?

 

The second question, using an example of a basic lookup (I'm aware of externaldata) where we can return a true or false based on the input. E.g. is_primary_fn

let is_primary = (ip:string) {
    iif(dynamic([
        "127.0.0.1",
        "127.0.0.2",
        "127.0.0.3"
    ]) contains ip, true, false)
};

Then using that with a query like:

NetworkData
| where is_primary_fn(IPAddress)

Which in this example fails with "Body of the callable expression cannot be empty". I've tried a few different way to get this working but so far not having any luck :(

7 Replies
As far as I know, you should invoke the function.
NetworkData
| invoke is_primary(tostring(IPAddress))

@pemontto 

i have same issue.

@pemontto the below query works without any issue for me.

let NetworkData = datatable (Address:string )
[
"127.0.0.1"
];
let is_primary = (ip:string) {
    iif(dynamic([
        "127.0.0.1",
        "127.0.0.2",
        "127.0.0.3"
    ]) contains ip, true, false)
};
NetworkData
| where is_primary(Address) == "true"

@mergene 

Did you try saving the function under KQL queries, then invoking it remotely from a KQL editor window ?

 

In my case, if all code is together, like in the snippet you shared, it works. IF i save the func and invoke it, it won't work.

Looks like the only way to create a parameterized function is to use resource templates.
https://docs.microsoft.com/en-us/azure/azure-monitor/samples/resource-manager-log-queries#parameteri...

@mergene which aren't supported in Log Analytics yet right?

 

And yes, I could get the functions working in the same query but as @majo01 said, never when saved as a function to use in another query.

I didn't try it but if you look at the template on the page, it uses log analytic workspaces. Azure monitor is based on log analytics as well.