How do I connect kqlmagic to more than one Log Analytics workspace at the same time?

Question

In my Jupyter notebook, I want to run the same KQL query against different Sentinel workspaces and compare the results as data frames. Is there an easy way to have multiple workspace connections at the same time or would I need to reconnect and query each workspace individually every time I change my KQL query?

Answer 1

You have few options to achieve it.

1. As suggested above to use a cross-workspace-query that will result in a table that will include records from all the workspaces specified, you can then split it into multiple data frames.
2. Create multiple connections, and query each one by one. You can have multiple queries in one %%kql cell (separate each query with an empty line and assign result of each query to a different python variable
3. write python code that iterates over the workspaces, and use %kql (one line magic)
4. write python code that iterates over workspaces, and invoke Kqlmagic with the ipython magic API
5. write python code that iterated over workspaces, and use Kqlmagic module

(I am the author of Kqlmagic,)

Answer 2

See if cross-workspace queries satisfy your requirements. And a bit more documentation here. Cross-workspace queries are for exactly you describe. You use a union operator to link both - similar to how you would link two tables using union.

Snipped from the article:

workspace('<workspace-A>').SecurityEvent

| union workspace('<workspace-B>').SecurityEvent