Deployment package for ASIM Schema Project Functions

For more information about Log Analytics functions refer to:

• KQL user defined functions
• Managing user functions in Azure Monitor

About

These functions help to simplify the projection of the Manadatory and Recommended columns based of the selected ASIM Schema.

Because you don't have to think about the fields you need to either project or project-away when parsing data from the CommonEventLog or Syslog table, you can now fully focus on optimizing the parser itself.

Using this function also increases the processing speed which has been tested in multiple large enterprise environments

How to use

The Project Schema function is extremely easy to use!
There are two ways to use the functions. You can either let the base function automatically deside what schema to use based on the EventSchema column or manually specify the desired schema.

Just add the following line to the end of your parser, and you are good to go.

Auto Select schema

Example 1

only project Mandatory and Recommended ASIM columns

| invoke ASIM_ProjectSchema()

Example 2

Project ALL Mandatory, Recommended and Optional ASIM columns

| invoke ASIM_ProjectSchema(optional=true)

Manual Select NetworkSession schema

Example 3

only project Mandatory and Recommended ASIM columns

| invoke ASIM_ProjectNetworkSessionSchema()

Example 4

Project ALL Mandatory, Recommended and Optional ASIM columns

| invoke ASIM_ProjectNetworkSessionOptional()

How it works

• The ASIM_ProjectSchema function will evaluate the value Mandatory EventSchema column
  
• Based on the value in the EventSchema column the appropriate project function will be called
• The dedicated Schema function will project the Mandatory, Recommended and optionally the Optional columns related to the specific schema.