admin管理员组

文章数量:1398791

I am trying to create a user defined function to store as a global function. This has to accept two field parameters and spit out a table.

I managed to get it to work as an inline function.

let customFunc = (T:(Title: string)) { 
  T | where Title has_any "value"
    | distinct Title
};
let SE_table = SecurityEvent | where TimeGenerated > ago(1h);
let x        = customFunc(SE_table)

The results display the Title field from the SecurityEvent table with all unique values in the last hour. Once I save this as a global function in the GUI, I receive an error that customFunc expects a scalar value.

Tried saving customFunc as a global function using the GUI with T as a dynamic value, but no dice.

The closest I came to using a global function that takes a field value is detailed in the following article:

This predates creation of the GUI that permits saving functions without using PowerShell. I am able to cast T as a dynamic variable within the GUI, but the function declaration is a bit out of my league.

My end goal is to create a function that accepts two arguments, uses them to reference a watchlist and spits out a verdict.

本文标签:

版权声明:本文标题:kql - KustoSentinel - How do I createsave a user defined global function parameters that accept fields - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1744619688a2615945.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。