Jaa


Azure Log Analytics: Dynamic Arrays

In my first post on parsing we looked for Eventlog data and parsed the info to get User names from with data in the Event log. Sometimes we want to work with a list of values such as User or Computer names and look for these in the data. Jon once again asked for a little help with an ‘or’ statement. I wont repeat his exact example here but it’s essential this syntax, I’ve used HeartBeat data as a different example.

 

Heartbeat
| where Computer == "DC01.fabrikamltd.co.uk" or Computer == "DC02.fabrikamltd.co.uk" or Computer == "DC03.fabrikamltd.co.uk"
| project Computer

Now you could write the above like this instead

Heartbeat
| where Computer startswith "DC0"
| project Computer

image

..as all the Computer names ‘start with’ DC0…. However if you substituted this with Usernames or a longer list of computer names you end up with ranges and many OR / AND statements. As the list grows the amount of OR’s also grows and it can look a little messy. 

So we can use an Array instead (or you would in other languages). However after looking at Arrays in the language reference, I was stumped, eventually after a lot of looking I found ‘dynamic’. As it was hard to find (for me) I thought it was worth posting.

Language Ref: https://docs.loganalytics.io/docs/Language-Reference  eventually I came across Dynamic here: https://docs.loganalytics.io/docs/Language-Reference/Data-types/dynamic but it was examples for IN that really helped https://docs.loganalytics.io/docs/Language-Reference/Scalar-operators/in_!in-operators

let mytesttxt = dynamic (['DC01.fabrikamltd.co.uk', 'DC02.fabrikamltd.co.uk', 'DC03.fabrikamltd.co.uk']);
Heartbeat
| where Computer in (mytesttxt)
| project Computer

image

So whilst the above example is the same count of lines I think its easier to read especially if the dynamic array grows. Its also IMO easier to keep the list updated in an array than having many OR statements. I’ve run some side to side tests and the data seems to return in the same time, so whilst I don't think one method is more efficient than the other, I like how arrays are used in Azure Log Analytics v2. 

You can see this in action in this last screenshot of an array with many Windows important user Accounts & using Parse again!

image

Comments

  • Anonymous
    October 04, 2017
    Thanks for this post Clive! I had also looked through the documentation but missed this section, your post gave me the answer in a very clear and concise way.
    • Anonymous
      October 04, 2017
      Glad it was helpful Reis.