0

I have a table that has many other columns such as username, hostname, etc. One of the columns also stores a certain Query.

UserQueryTable

Username Hostname CustomQuery
Sam xyz some_query_1
David abc some_query_2
Rock mno some_query_3
Well stu some_query_4

When I run a kql such as :

UserQueryTable | where Username == "Sam"

I get:

Username Hostname CustomQuery
Sam xyz some_query_1

Note the "some_query_1" value under CustomQuery? That is an actual KQL query that is also part of the table result. I want to find a way where I can retrieve the "some_query_1" and EXECUTE it right after my KQL "UserQueryTable | where Username == "Sam""

That CustomQuery query will give me additional info about my alert and I need to get that Query string from the table and execute it. The CustomQuery in the table looks something like this

let alertedEvent = datatable(compressedRec: string)
[' -----redacted----7ziphQG4Di05dfsdfdsgdgS6uThq4H5fclBccCH6wW8M//sdfgty==']
| extend raw = todynamic(zlib_decompress_from_base64_string(compressedRec)) | evaluate bag_unpack(raw) | project-away compressedRec;
alertedEvent

So basically the 1st Query returns a result where one of the returned column itself contains Queries and I want to be able to run the returned Queries. The Query_ == CustomQuery the Query_ here is the CustomQuery

I tried using the User-defined functions but have not been able to come up with something that works. Please help!

4

1 回答 1

0

如果我正确理解您的问题,您有一个返回查询列表的查询,并希望从该集合中获得实际运行的查询列表。

在这种情况下,您可以:

  1. 使用.show queries返回在集群上执行的查询列表的命令(在此处阅读更多信息)。Notice.show queries将返回您运行的查询列表,或者 - 如果您具有数据库管理员权限 - 任何人在数据库上运行的查询列表。
  2. 在您的集群上启用诊断设置,并发送查询日志(在此处阅读更多信息)。这会将在集群上执行的所有查询发送到您选择的日志分析工作区。

然后,您可以使用这些选项中的任何一个并与您的表连接,以确定实际执行了哪些查询。例如,使用第一个选项:

.show queries | join datatable (Query_: string)
        [
            "Table | where somecol contains 1",
            "Table | where somecol contains 2"
        ] on $left.Text == $right.Query_
于 2021-04-11T07:03:27.657 回答