Does the Azure Data Explorer optimize the entire query if your base table access is in a function?
I am optimizing some Kusto code in which the access to base tables is encapsulated in user defined functions, sometimes several layers of function calls. For example, suppose you have a tabular function GetStuff() which in turn invokes a tabular function GetStuff2() which calls the base Kusto table Stuff. My question is: If I write a Kusto query which involves a join with the tabular function GetStuff(), will the Azure Data Explorer optimizer work to optimize the entire call stack that is involved? In other words, will it behave like views in a relational database where it will create and optimize a query plan for the entire query, first decomposing the view definition, or does the optimization only act at the function definition or query level?
How to connect with multiple kusto cluster and add users with reader permission?
I have to add appid and tenant id to grant permission to the application and we have almost 38 public kusto clusters. I would like to automate this process so i don't have connect the cluster each time and run the below command everytime: .add database [db_name] viewers('aadapp=APP_GUID_HERE;tenant_id here') "TEAM_NAME_HERE" is there a way, i can write a script which connect to all 38 clusters one by one and run the above command?
Advanced hunting to include logged on users
Hello I am using the below query to get an endpoint status report. The query works great, however requesting help on modifying the query to show me the logged on users. Thank you in advance "// Best practice endpoint configurations for Microsoft Defender for Endpoint deployment. DeviceTvmSecureConfigurationAssessment | where ConfigurationId in ("scid-91", "scid-2000", "scid-2001", "scid-2002", "scid-2003", "scid-2010", "scid-2011", "scid-2012", "scid-2013", "scid-2014", "scid-2016") | summarize arg_max(Timestamp, IsCompliant, IsApplicable) by DeviceName, ConfigurationId | extend Test = case( ConfigurationId == "scid-2000", "SensorEnabled", ConfigurationId == "scid-2001", "SensorDataCollection", ConfigurationId == "scid-2002", "ImpairedCommunications", ConfigurationId == "scid-2003", "TamperProtection", ConfigurationId == "scid-2010", "AntivirusEnabled", ConfigurationId == "scid-2011", "AntivirusSignatureVersion", ConfigurationId == "scid-2012", "RealtimeProtection", ConfigurationId == "scid-91", "BehaviorMonitoring", ConfigurationId == "scid-2013", "PUAProtection", ConfigurationId == "scid-2014", "AntivirusReporting", ConfigurationId == "scid-2016", "CloudProtection", "N/A"), Result = case(IsApplicable == 0, "N/A", IsCompliant == 1, "GOOD", "BAD") | extend packed = pack(Test, Result) | summarize Tests = make_bag(packed) by DeviceName | evaluate bag_unpack(Tests)"If/Then/Or Statement Based on Values in Column Ranges?
Hi all! I need help with the below if/then or statement that seems simple in theory but I am struggling to write it in KQL. I am looking to get the results in the red "Adjusted Amount" column with a statement similar to this: "if all values in "Issue" are the same AND all values in "Level" are the same then return sum of "Amount" in "Adjusted Amount"- OR if all values in "Issue" are the same BUT "Level" is unique then return "Amount" in "Adjusted Amount". Example result: Issue level Amount Adjusted Amount ABCD 3 4995 5837 ABCD 2 7 7 ABCD 3 842 5837 WXYZ 3 3000 3000 WXYZ 4 500 500