/// <summary> /// Evaluate a single query at a time /// </summary> /// <param name="dict">The IDictionary of the data to be evaluated with this KqlQuery</param> /// <returns></returns> public KqlOutput Evaluate(IDictionary <string, object> dict) { KqlOutput result = null; Stopwatch evaluateStopwatch = Stopwatch.StartNew(); // Pass over the table name, at least one pipe char [|] is required. Input.KustoQuery(Query.Substring(Query.IndexOf('|') + 1).Trim()) .Subscribe(e => { result = new KqlOutput { Output = e, Comment = Comment, Query = Query, KqlQuery = this }; }); // Evaluate the query pipeline Input.OnNext(dict); this.EvaluationCount++; this.EvaluationTimeSpan += evaluateStopwatch.Elapsed; return(result); }
DefaultOutput( KqlOutput e) // The type should not be called Detection nor Alert and should not be in separate namespace { var output = e.Output; // this is no longer alert. "Output" is better name for the property if (DateTime.UtcNow.AddSeconds(-30) > lastUploadTime) { lock (uploadLock) { // Uplaod the current cache of records // UploadPayloadCacheInBatches(logAnalyticsX509Certificate2); // Update last upload time and create a new payload object lastUploadTime = DateTime.UtcNow; payload = GetNewPayloadObject(); Console.WriteLine(string.Empty); } } payload.AddEvent(this, output, UseEventIngest); var eventJson = JsonConvert.SerializeObject(output); StringBuilder sbRecord = new StringBuilder("Event:"); foreach (var outputKey in output.Keys) { sbRecord.Append($" {outputKey}: {output[outputKey]}"); } Console.WriteLine(sbRecord.ToString()); // Create SLO record for latency of files transferred syntheticCounterManager.InsertEtwEventTcpNetwork($"{Environment.MachineName}:GenevaEtwPOC", output); }
public void EnableSubscription(string query) { int pipeIndex = query.IndexOf('|'); // The original query cannot change on the KqlQuery class, which leads to consumer confusion. Query = query; if (pipeIndex != -1) // This means there is at least one Pipe { Subscription = Input.KustoQuery(Query.Substring(pipeIndex + 1).Trim()) .Subscribe(d => { KqlOutput a = new KqlOutput { Output = d, Comment = Comment, Query = query, KqlQuery = this }; // Push downstream to subscribers Node.Output.OnNext(a); }); } else // If there is no pipe in the query, we are just getting everything { Subscription = Input.Subscribe(d => { KqlOutput a = new KqlOutput { Output = d, Comment = Comment, Query = query, KqlQuery = this }; // Push downstream to subscribers Node.Output.OnNext(a); }); } }
public void KqlOutputAction(KqlOutput obj) { OutputAction(obj.Output); }