KQL how to save query as functions witch parameters ?
Hi
I have written this query, and I saved it as a function and entered the parameters as shown in the figure. I need to understand where I am going wrong. If I call the function and input the parameters, the result is an error.
let login = (startDate: datetime, endDate: datetime, accountNameFilter: string = “”, groupName: string = “”) {
SigninLogs
| where TimeGenerated between (startDate .. endDate)
| extend user_1 = tolower(UserPrincipalName)
| join kind=inner (
IdentityInfo
| extend user_2 = tolower(AccountUPN)
)
on $left.user_1 == $right.user_2
| where (ResultType == “0” or ConditionalAccessStatus has “success”)
| mv-expand GroupMembership
| where GroupMembership has groupName
| project-away user_1, user_2
| distinct AccountDisplayName, TimeGenerated, AppDisplayName
| extend Day = startofday(TimeGenerated)
| extend TimeBin = bin(TimeGenerated, 1h)
| summarize last_login = max(TimeGenerated), first_login = min(TimeGenerated), day = dcount(Day) by AccountDisplayName
| where (accountNameFilter == “” or AccountDisplayName has accountNameFilter)
| order by last_login desc
| render barchart kind=unstacked
};
login
Hi I have written this query, and I saved it as a function and entered the parameters as shown in the figure. I need to understand where I am going wrong. If I call the function and input the parameters, the result is an error. let login = (startDate: datetime, endDate: datetime, accountNameFilter: string = “”, groupName: string = “”) {
SigninLogs
| where TimeGenerated between (startDate .. endDate)
| extend user_1 = tolower(UserPrincipalName)
| join kind=inner (
IdentityInfo
| extend user_2 = tolower(AccountUPN)
)
on $left.user_1 == $right.user_2
| where (ResultType == “0” or ConditionalAccessStatus has “success”)
| mv-expand GroupMembership
| where GroupMembership has groupName
| project-away user_1, user_2
| distinct AccountDisplayName, TimeGenerated, AppDisplayName
| extend Day = startofday(TimeGenerated)
| extend TimeBin = bin(TimeGenerated, 1h)
| summarize last_login = max(TimeGenerated), first_login = min(TimeGenerated), day = dcount(Day) by AccountDisplayName
| where (accountNameFilter == “” or AccountDisplayName has accountNameFilter)
| order by last_login desc
| render barchart kind=unstacked
};
login Read More