.create function

Creates a stored function, which is a reusable KQL query, with the given name. The function definition is persisted with the database metadata.

Functions can call other functions (recursiveness isn't supported). Besides, let statements are allowed as part of the Function Body. See let statements.

Rules for parameter types and CSL statements are the same as for let statements.

Syntax

.create function [ifnotexists] [with ([docstring = Documentation] [, folder = FolderName] )] [view = View] [, skipvalidation = 'true'] )] FunctionName ( ParamName : ParamType [, ...] ) { FunctionBody }

Arguments

Input parameter Type Description
ifnotexists bool Will be executed only if the function doesn't exist (when set to true).
docstring String A description of the function.
folder String The name of the folder tag.
view bool Designates this function as a stored view.
skipvalidation bool When set to true, it will run validation logic on the function and fail if function isn't valid. (Default: true)
FunctionName(ParamName:ParamType) String (String:datatype) Name of the function, the parameter name and datatype.
FunctionBody A user defined function expression.

Returns

Output parameter Type Description
Name String The name of the function.
Parameters String The parameters required by the function.
Body String (Zero or more) let statements followed by a valid CSL expression that is evaluated upon function invocation.
Folder String A folder used for UI functions categorization. This parameter doesn't change the way function is invoked.
DocString String A description of the function for UI purposes.

Note

  • If the function already exists:
    • If ifnotexists flag is specified, the command is ignored (no change applied).
    • If ifnotexists flag is NOT specified, an error is returned.
    • For altering an existing function, see .alter function
  • Requires database user permission.
  • Not all data types are supported in let statements. Supported types are: boolean, string, long, datetime, timespan, double, and dynamic.
  • Use skipvalidation to skip semantic validation of the function. This is useful when functions are created in an incorrect order and F1 that uses F2 is created earlier.

Example: Simple demo function

.create function 
with (docstring = 'Simple demo function', folder='Demo')
MyFunction1()  {StormEvents | limit 100}
Name Parameters Body Folder DocString
MyFunction1 () {StormEvents | limit 100} Demo Simple demo function

Example: Demo function with parameter

.create function
with (docstring = 'Demo function with parameter', folder='Demo')
 MyFunction2(myLimit: long)  {StormEvents | limit myLimit}
Name Parameters Body Folder DocString
MyFunction2 (myLimit:long) {StormEvents | limit myLimit} Demo Demo function with parameter