Reputation: 87
Restrictions on User Defined Functions: Unresolved reference binding
I'm trying to understand if it is possibe to extend a new column with the output of a user defined function.
I would like to achieve the same as the following:
print k='8.8.8.8'
| extend l = geo_info_from_ip_address(k)
In my user defined function I'm contacting an API with a value stated in a parameter and returning a tabular output. The documentation on User Defined Functions seem to suggest there are some restrictions on achieving this because the parameter would depend on the row-context. Is it possible to overcome this restriction in any way?
The error message I'm getting in particular is:
Semantic error: Unresolved reference binding: 'IPAddress'
edit: sample query as requested below
let f = (IP:string) {
let uri=strcat('https://www.virustotal.com/api/v3/ip_addresses/', IP);
let header=dynamic({'x-apikey':'x'});
let request = (uri:string, headers:dynamic) {
evaluate http_request(uri, headers)
};
request(uri, header)
| evaluate bag_unpack(ResponseBody, 'rbody_')
| mv-expand rbody_data
| evaluate bag_unpack(rbody_data)
| where isnotempty(attributes)
| evaluate bag_unpack(attributes)
| project-away ResponseHeaders, ResponseStatusCode, ResponseReasonPhrase
| extend IP = IP
| extend whois_date = column_ifexists("whois_date", "")
| extend whois = column_ifexists("whois", "")
| extend last_modification_date = column_ifexists("last_modification_date", "")
| extend last_analysis_date = column_ifexists("last_analysis_date", "")
| extend last_analysis_stats = column_ifexists("last_analysis_stats", "")
| extend as_owner = column_ifexists("as_owner", "")
| extend asn = column_ifexists("asn", "")
| extend ['network'] = column_ifexists("['network']", "")
| project tostring(as_owner)
};
SigninLogs
| extend l = geo_info_from_ip_address(IPAddress)
| extend k = f(IPAddress)
// Result: Semantic error: Unresolved reference binding: 'IPAddress'
| extend k = f('8.8.8.8')
// Result: Tabular expression is not expected in the current context
| extend k = toscalar(f('8.8.8.8'))
// Result: works as intended. But does not work for each row
| extend k = toscalar(f(IPAddress))
// Result: 'toscalar' operator: Failed to resolve table or scalar expression named 'IPAddress'
Upvotes: 0
Views: 102
Answers (1)
Reputation: 87
I talked with a member of the Kusto team regarding this. He managed to boil the question down to how I would like to use the http_request function and the realisation that Kusto is imposing a restriction on the usage of the function, see the following sample code and error message.
SigninLogs
| take 10
| project IPAddress
| extend uri = strcat("https://www.virustotal.com/api/v3/ip_addresses/", IPAddress)
| extend header = dynamic({'x-apikey':'xx'})
| evaluate http_request(uri, header)
Yields the error message:
evaluate http_request(): the following error(s) occurred while evaluating the output schema: The 'http_request' plugin's argument 'uri' must be a constant.
Why does the uri need to be a constant? How can I make a HTTP request where the uri depends on the value of a column?
Upvotes: 0
Related Questions
- Kusto user defined aggregate function
- Kusto Query Language: semantic error on user-defined functions
- Kusto: Handling null parameter in user defined funtion
- Paramaterization with user defined functions, KQL
- Kusto range function Semantic error: '' has the following semantic error: Unresolved reference binding:XXX"
- How to use user-defined scalar inside datatable creation in Kusto
- kusto query language -passing parameter value to user defined function
- Kusto Usecases (Nested User Defined Functions)
- Using shared user-defined Kusto functions in Log Analytics
- Can I use tabular parameters in Kusto user-defined functions