16 August 2021

  • 2

  • 13461 views

  • 0

16 August 2021

13461 views
2 0

Creating functions in Kusto Queries

In the previous blog, I illustrated how to create sub-queries in Kusto.

However, sometimes we may face even more complex situations and we may need to create not only a sub-query, but a function.

Another way to think about a function inside a Kusto query is like a parameterized sub-query.

Let’s review the query from the previous blog:

let outliers=
    AppServiceHTTPLogs
        |summarize Total=count() by CIp,bin(TimeGenerated,1d)
        |where Total > 100
        |project CIp;
AppServiceHTTPLogs
    |where CIp !in (outliers)
    |summarize Total=count() by dayofweek(TimeGenerated),Week=bin(TimeGenerated,7d)
    |project Day=format_timespan(Column1,’d’),Week,Total
    |order by Day asc
    |project Day,Week,Total

This query has one problem: The Day field is numeric. This makes the result a bit more difficult to understand.

Creating the Function

As developers, create a function to translate the day to the name of the day in the week is something natural. There may be other way to solve this problem, but in my opinion this keep the query more organized as well.

A function in Kusto to translate the day will be like this:

let weekday = (day:int) {
        case(day == 0, “Sun“,
        day == 1, “Mon“,
        day == 2, “Tue“,
        day == 3, “Wed“,
        day == 4, “Thu“,
        day == 5, “Fri“,
        “Sat”)
    };

The function is not much different than a sub-query:

1) The function has an input parameter with type defined
2) The function uses curly brackets
3) The function needs to return a value, but if we have a single calculation inside the function, it will be automatic

 

Using the Function

The bad news: There is no function library or anything similar in Log Analytics. The function needs to be together the query. Our final query using the function will be like this:

let weekday = (day:int) {
        case(day == 0, “Sun“,
        day == 1, “Mon“,
        day == 2, “Tue“,
        day == 3, “Wed“,
        day == 4, “Thu“,
        day == 5, “Fri“,
        “Sat”)
    };
let outliers=
    AppServiceHTTPLogs
        |summarize Total=count() by CIp,bin(TimeGenerated,1d)
        |where Total > 100
        |project CIp;
AppServiceHTTPLogs
    |where CIp !in (outliers)
    |summarize Total=count() by dayofweek(TimeGenerated),Week=bin(TimeGenerated,7d)
    |project Day=format_timespan(Column1,’d’),Week,Total
    |order by Day asc
    |project Day=weekday(Day),Week,Total

  • 2

  • 13461 views

Rate this article

Click to rate this post!
[Total: 3 Average: 3.7]

Dennes Torres

Dennes Torres is a Data Platform MVP and Software Architect living in Malta who loves SQL Server and software development and has more than 20 years of experience. Dennes can improve Data Platform Architectures and transform data in knowledge. He moved to Malta after more than 10 years leading devSQL PASS Chapter in Rio de Janeiro and now is a member of the leadership team of MMDPUG PASS Chapter in Malta organizing meetings, events, and webcasts about SQL Server. He is an MCT, MCSE in Data Platforms and BI, with more titles in software development. You can get in touch on his blog https://dennestorres.com or at his work https://dtowersoftware.com

Follow Dennes Torres via

View all articles by Dennes Torres

Load comments

Related articles

 21 February 2024
21 February 2024

Eventstream and the new KQL Processing

0
1
Eventstream has many differences in relation to the technologies it proposes to replace. Event Hub, Stream Analytics, Streaming Dataflows and more. We can compare these technologies, but EventStream in Microsoft Fabric has some specific differences from all of them. One of the differences is how the transformation of the input data is linked to the … Read more
0
1
28 February 2024
28 February 2024

Customizing Kusto (Data Explorer) Connections in Deployment pipeline

0
1
When organizing our SDLC (Software Development Lifecycle) in Power BI/Fabric, we use Deployment Pipelines and create rules to change connection configurations every time we promote an object from one environment (dev for example) to another (test, for example). Kusto connections, on the other hand, are not so simple. You can check more about Deployment Pipelines … Read more
0
1
31 January 2022
31 January 2022

Saving and Sharing Log Analytics Query

0
2
Update on 01/03/2022: There are two small mistakes on the article below. A) On the UI, the only Tag value which accepts customization is Label. I believe the customization is possible through API, but I haven’t checked it. B) The filter and group by using the Label tag is possible. The Label only appears as … Read more
0
2

Tags

, ,