Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Sentinel workbook: reusing outcome in multiple charts

Copper Contributor

Hello,

I wanted to ask for your help.

i have resource intensive query to do filtering and parisng. Then I would like to do some simple visualisation.

 

let data= materialize (Syslog
where TimeGenerated {TimeRange}
where HostName has "172."
extend Protocol = extract(@'protocol=\"?(\w+)\"?'1, SyslogMessage),
and much more.....
 
 
Is it possible to declare this somehow as global variable for whole sentinel workbook so I can subseqently just do something simple subselects and visualise?

like chart calling data and selectign one column
then visualising another colum etc.
for example:
data
summarize count() by  Src_IP
 
Problem i Have if I have to duplicate the whole first query where I am materiazing "data" in each chart its extremely slow.
 
 
5 Replies
The easiest option will be to save you query as a function in Log analytics and call that function
https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/using-kql-functions-to-speed-up-analy....
Thank you Samikroy, that looks promising on the parser. It actually works for first half pretty well. Great. Do I understand the article correctly, it also supprots input parameters from filters, but it has completely different syntax?

within the workbook it worked for me to have filters like TimePicker Time Range, or Protocol and then the query in visualisation was working with the selection well. I tried to use it in function and define it as two parameters named Protocol and TimeRange in function but it did not work with filters. Any idea?
| where TimeGenerated {TimeRange}
|where "{Protocol:label}" == "All" or Protocol in ({Protocol})

You are almost there, just need to mention the parameters while saving the function.
Here is a reference - https://www.youtube.com/watch?v=Pla4n9i6eEM
Hope this helps.

@samikroy 

In a Workbook you also have the option to "duplicate" a Table (this more useful if you only need to adjust a small part of the data / format it)

New Query --> DataSource: MERGE --> "Duplicate Table" --> <select you Results> 

 

 
 

 

 

Hi @Marek Stelcik,

 

I might have some ideas that I can share. Can you provide some more details on the characteristics of your 'data' variable? How many rows and columns does it typically contain after using project or project-keep to reduce unnecessary data? A ball-park figure is fine.

 

Kind regards,

Rutger Smeets