Search code examples
convertersdatetime-formatazure-data-explorerkql

Convert TimeGenerated with KQL stored function

Please help me on this. I couldn't figure out a way to make this work. My goal is to convert the TimeGenerated(7/3/2023, 14:00:00 AM) in Sentinel logs into this format here: for example, "3 July 2023, 14:00:00 AM". I have the query to convert it however it is way too long which makes my queries look messy. So I decided to save it as stored function and willing to apply it to any tables by giving parameter to it and output the timegenerated to my desire result. Below are the current queries I have:

This is the query in stored function (named "DT").

let GetMonth = view(Month: int) {
case(
    Month == 1,
    "January",
    Month == 2,
    "February",
    Month == 3,
    "March",
    Month == 4,
    "April",
    Month == 5,
    "May",
    Month == 6,
    "June",
    Month == 7,
    "July",
    Month == 8,
    "August",
    Month == 9,
    "September",
    Month == 10,
    "October",
    Month == 11,
    "November",
    Month == 12,
    "December",
    "")};
let dt = (x: datetime) { strcat(dayofmonth(datetime_utc_to_local(x, 'Asia/Singapore')), " ", GetMonth(monthofyear(datetime_utc_to_local(x, 'Asia/Singapore'))), " ", datetime_part("Year", datetime_utc_to_local(x, 'Asia/Singapore')), " ", format_datetime(datetime_utc_to_local(x, 'Asia/Singapore'), 'hh:mm:ss tt'), " SGT") };

This is the main query which I want to apply the stored function

<table>
| where Computer == "datahouse01" and Activity == "Deletion of Records" and DestinationUserName ==  "FVO44ad"
| extend TimeGenerated = DT(TimeGenerated)
Solution

  • I have reproduced in my environment and got expected results as below:

    Body of the callable expression cannot be empty

    This type of error comes when function is empty that we are calling:

    Example:

    let A = (a:string) { };
A("hello Rithwik")

    enter image description here

    Then used below query:

    let GetMonth = view(Month: int) {
case(
    Month == 1,
    "January",
    Month == 2,
    "February",
    Month == 3,
    "March",
    Month == 4,
    "April",
    Month == 5,
    "May",
    Month == 6,
    "June",
    Month == 7,
    "July",
    Month == 8,
    "August",
    Month == 9,
    "September",
    Month == 10,
    "October",
    Month == 11,
    "November",
    Month == 12,
    "December",
    "")};
let dt = (x: datetime) { strcat(dayofmonth(datetime_utc_to_local(x, 'Asia/Singapore')), " ", GetMonth(monthofyear(datetime_utc_to_local(x, 'Asia/Singapore'))), " ", datetime_part("Year", datetime_utc_to_local(x, 'Asia/Singapore')), " ", format_datetime(datetime_utc_to_local(x, 'Asia/Singapore'), 'hh:mm:ss tt'), " SGT") };

AzureActivity
|extend TimeGenerated = dt(TimeGenerated)

    And it did worked for me as below:

    enter image description here

    Fiddle.

    I have observed another thing that you have used small dt in function and Capital DT while calling, plz check it too. As the function is working fine for me.

    So, you should not just call main query, you need to call it with the custom function(select all and the run) you will get desired result as I have got.