Search code examples
azurekqlazure-log-analyticskusto-explorer

How do I call a Kusto function with multiple params on each row of a table

I have the Kusto function, which will take a few parameters and return a scalar output. I want to call this on each row of a table.

function = test_data(since:datetime) {

   // perform some operations and return scalar results;
   let result = <sometable>
   let scalar_data = toscalar(result);
   print(scalar_events);

}

I want to call this on each row of a table:

When I tried this:

let result_data = datatable(since:datetime)
[
  datetime(2023-09-20T18:37:14.5162522Z),   
  datetime(2023-09-20T18:37:29.2246502Z),   
  datetime(2023-09-20T18:37:29.2246502Z),   
  datetime(2023-09-20T18:37:29.2246502Z),   
];
result_data
| extend data = test_data(since);

I got the below error:

Error

Semantic error: Tabular expression is not expected in the current context

clientRequestId:

When I tried using toscalar as follows the column was not visible.

let result_data = datatable(since:datetime)
[
  datetime(2023-09-20T18:37:14.5162522Z),   
  datetime(2023-09-20T18:37:29.2246502Z),   
  datetime(2023-09-20T18:37:29.2246502Z),   
  datetime(2023-09-20T18:37:29.2246502Z),   
];
result_data
| extend data = toscalar(test_data(since));

Error:

Error

Semantic error: 'toscalar' operator: Failed to resolve table or scalar expression named 'since'

clientRequestId:

When I passs static datetime, It works fine.

let result_data = datatable(since:datetime)
[
  datetime(2023-09-20T18:37:14.5162522Z),   
  datetime(2023-09-20T18:37:29.2246502Z),   
  datetime(2023-09-20T18:37:29.2246502Z),   
  datetime(2023-09-20T18:37:29.2246502Z),   
];
result_data
| extend data = toscalar(test_data(datetime(2023-09-20T18:37:14.5162522Z)));

How do I call a Kusto function on each row of a table? I have multiple params to pass here. For example, I am passing one param (Since)

Solution

  • I have reproduced in my environment and below are my observations:

    Note: If you want to use toscalar(), it can only be used on a single expression but not on column, this is a limitation as per Microsoft-Document:

    Returns a scalar constant value of the evaluated expression. enter image description here

    Below is the KQL Query which worked for me and I have used tostring() on each row in a table:

    let x = (since:datetime)
{
tostring(since)
};
let result_data = datatable(since1:datetime)
[
  datetime(2023-09-20T18:37:14.5162522Z),   
  datetime(2023-09-20T18:37:29.2246502Z),   
  datetime(2023-09-20T18:37:29.2246502Z),   
  datetime(2023-09-20T18:37:29.2246502Z),   
];
result_data
| extend data = x(since1);

    Output:

    enter image description here

    Fiddle.