question

PreetParikh-5702 avatar image
0 Votes"
PreetParikh-5702 asked clivewatson-9831 answered

How to get all the data from column in conditional statement using KQL in Workbook

I am using kql query

name_of_log_table
| where abc has "103.90.06.102"
| where pqr == "def"
| project ip

to get specific ip address from log table from the column name abc but now i want to get all the data from that column abc using

name_of_log_table
| where abc has "*"
| where pqr == "def"
| project ip

But i am not able to get it as, * will be considered as null

so how can i get all the data of abc column

Note:- we are passing value of column abc through parameter so the line must be there
FYI the query looks like this

name_of_log_table
| where abc has '{param1}'
| where pqr == '{param2}'
| project ip




azure-monitormicrosoft-sentinel
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

clivewatson-9831 avatar image
0 Votes"
clivewatson-9831 answered PreetParikh-5702 commented

In your Parameter tick the allow multiple selection then you can specify an "all" value and a default such as "all" or "*"

204025-image.png

203997-image.png


You are then able to to check the label for the value or the data you passed from the parameter.

| where "{LogSeverity:label}" == "All" or LogSeverity in ({LogSeverity})




An example, look at the 'Product Name' or 'Owner Parmenter' https://github.com/Azure/Azure-Sentinel/blob/96245e4d59fa4d32f69b56efbffa3cf579683344/Workbooks/SentinelCentral.json


image.png (12.6 KiB)
image.png (14.0 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for your response @clivewatson-9831
But what if the dropdown has no value
i.e.:- No selected value, No All
its empty
like:-
204057-image.png


i tested the query like:-

name_of_log_table
|where (isempty('{LogSeverity:label}')or "{LogSeverity:label}" == "All" or LogSeverity in ({LogSeverity}))

but its showing
204048-image.png
Note:- If i am using

(isempty('{LogSeverity:label}')or "{LogSeverity:label}" == "All")

then it's working but not working when I write the 3rd statement.



0 Votes 0 ·
image.png (3.3 KiB)
image.png (4.0 KiB)
clivewatson-9831 avatar image
0 Votes"
clivewatson-9831 answered

That quite an edge case, if you dont select any Parmenter the method I showed - displays "The query could not run because some parameters are not set" - users typically understand they have to select at least one thing. If the default item is "all" its less likely that they wont tick something.

You could look to see if a CRITERIA rather than a JSON or Logs query could help, or setting a dynamic empty variable for the array.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.