KQL Tutorial Series - You need to learn KQL Functions! (Labs included) | EP7

Подписаться 9 тыс.

Просмотров 7 тыс.

50% 1

No matter what skill level you are on KQL, you can benefit from using KQL functions within your environment. I will show you how it works and then we can play in a demo playground to reinforce what you learned.
Intro - 00:00:00
What is a function? - 00:00:30
Functions are like a kitchen blender - 00:01:09
How does a function in a query look? - 00:02:00
How to pass arguments to function - 00:02:35
Type of functions - 00:03:00
Local (query defined function) - 00:04:00
Global function (stored function) - 00:05:15
Scalar Functions - 00:06:04
Tabular Functions - 00:11:30
Demo
User-defined tabular function (local) - Lets build a tabular function - 00:15:20
User-defined scalar function (local) - 00:19:22
How to output scalar function to table viewer with print operator - 00:20:40
User-defined scalar function (stored function/global) - 00:25:40
User-defined tabular function (stored function/global) - 00:28:50
Resources
www.teachjing.com
aka.ms/kqldataexplorer
aka.ms/lademo
KQL Tutorial Series Playlist
• KQL Tutorial Series
Connect with me!
Twitter - / teachjing
LinkedIn - / teachjing

Опубликовано:

7 июл 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 14

@davinelm1545 2 года назад

TeachJing, your videos are so incredibly helpful. I was struggling with joins and found your channel and have been binge watching since. Thank you so much for the effort you put into these, you're helping the whole security ecosystem become stronger.

@TeachJing Год назад

You are so welcome!

@rahul53403 2 года назад

Good👍 one

@maryamkhouei5072 2 года назад

I just found you!!! Amazing videos. Thanks you. :)

@TeachJing 2 года назад

Thank you for the kind words!

@cornemouton2740 2 года назад

lol @ still using winamp :) if it ain't broke... (I also still appreciate its simplicity) Thanks for the video, very informative.

@TeachJing 2 года назад

It really kicks the llamas asss

@ok103 2 года назад

great video!! i saw all you videos the are really good !!! can i ask a question ... if i have function can i put it in the dashboard and when it's called it will pop up to insert the parameters

@TeachJing 2 года назад

No. You need to provide the parameters when you call the function.

@ok103 2 года назад

@@TeachJing thanks!

@arunkiran7845 2 года назад

Can i pass a tablename as parameter in user stored function??. I am trying like. let data=(searchtable:string) { table(searchtable) |count }; make this as user stored function with searchtable parameter defined in function. and when i call the stored function..Lets say i stored it as test..then test("Heartbeat") should give count of events in Heartbeat..but gives error saying "body of the callable expression cannot be empty " any idea??

@TeachJing 2 года назад

I have done this in a workbooks pretty easy because workbook parameters will pass the string into the query prior to anything being evaluated. So you actually don’t even need a let statement. In regards to directly answering your question. You gotta do a trick sorta. You see that let statement will run through a pre-check and that table is invalid since you haven’t provided a value yet before it was evaluated. It’s trying to figure out the table. You can try doing a search and filtering on the table name which might be able to take a string! I just haven’t tried that, but seems like a better way since that condition IS expecting a string. I think I have done this exactly scenario but don’t recall when. Let me know if this works for you.