Home > Blockchain >  How to use result of first KQL query in the second query to filter results?
How to use result of first KQL query in the second query to filter results?

Time:12-29

I have a first KQL query that returns a list of domain names, and then I want to use these to filter another KQL query. I just can't figure out the syntax to do it. Is there a way to use the contains() operator with a for loop/iteration in KQL?

KQL - Query 1

    let hostnames = () {
    AllDomains 
    | where hostname !contains "default.com" and hostname != ""
    | distinct hostname
   }

KQL - Query 2

let start_date = ago(10m);
let end_date = now();
LogEvents 
| where env_time between (start_date .. end_date)
| where headers  contains "X-Forwarded-For"
| where queryString contains (hostnames()) //This is what is needed to filter on all the domains from first query.
| project queryString

CodePudding user response:

It would be better if you'll provide a sample of how your data looks and what you are trying to accomplish, but I think that instead of contains you'd want to use has_any

CodePudding user response:

this could work:

let hostnames =
    AllDomains 
    | where isnotempty(hostname) and hostname !has "default.com"
    | distinct hostname
;
let start_date = ago(10m);
let end_date = now();
LogEvents 
| where env_time between (start_date .. end_date)
| where headers contains "X-Forwarded-For"
| where queryString has_any (hostnames)
| project queryString

Page link:https//www.codepudding.com/Blockchain/657001.html

Prev:Finding specific function for high CPU in Azure Function App
Next:Azure Vnet Peering initiated state when run with Terraform
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding