/// <summary>
/// Evaluate a single query at a time
/// </summary>
/// <param name="dict">The IDictionary of the data to be evaluated with this KqlQuery</param>
/// <returns></returns>
public KqlOutput Evaluate(IDictionary <string, object> dict)
{
KqlOutput result = null;
Stopwatch evaluateStopwatch = Stopwatch.StartNew();
// Pass over the table name, at least one pipe char [|] is required.
Input.KustoQuery(Query.Substring(Query.IndexOf('|') + 1).Trim())
.Subscribe(e =>
{
result = new KqlOutput
{
Output = e,
Comment = Comment,
Query = Query,
KqlQuery = this
};
});
// Evaluate the query pipeline
Input.OnNext(dict);
this.EvaluationCount++;
this.EvaluationTimeSpan += evaluateStopwatch.Elapsed;
return(result);
}
DefaultOutput(
KqlOutput e) // The type should not be called Detection nor Alert and should not be in separate namespace
{
var output = e.Output; // this is no longer alert. "Output" is better name for the property
if (DateTime.UtcNow.AddSeconds(-30) > lastUploadTime)
{
lock (uploadLock)
{
// Uplaod the current cache of records
// UploadPayloadCacheInBatches(logAnalyticsX509Certificate2);
// Update last upload time and create a new payload object
lastUploadTime = DateTime.UtcNow;
payload = GetNewPayloadObject();
Console.WriteLine(string.Empty);
}
}
payload.AddEvent(this, output, UseEventIngest);
var eventJson = JsonConvert.SerializeObject(output);
StringBuilder sbRecord = new StringBuilder("Event:");
foreach (var outputKey in output.Keys)
{
sbRecord.Append($" {outputKey}: {output[outputKey]}");
}
Console.WriteLine(sbRecord.ToString());
// Create SLO record for latency of files transferred
syntheticCounterManager.InsertEtwEventTcpNetwork($"{Environment.MachineName}:GenevaEtwPOC", output);
}
public void EnableSubscription(string query)
{
int pipeIndex = query.IndexOf('|');
// The original query cannot change on the KqlQuery class, which leads to consumer confusion.
Query = query;
if (pipeIndex != -1) // This means there is at least one Pipe
{
Subscription = Input.KustoQuery(Query.Substring(pipeIndex + 1).Trim())
.Subscribe(d =>
{
KqlOutput a = new KqlOutput
{
Output = d,
Comment = Comment,
Query = query,
KqlQuery = this
};
// Push downstream to subscribers
Node.Output.OnNext(a);
});
}
else // If there is no pipe in the query, we are just getting everything
{
Subscription = Input.Subscribe(d =>
{
KqlOutput a = new KqlOutput
{
Output = d,
Comment = Comment,
Query = query,
KqlQuery = this
};
// Push downstream to subscribers
Node.Output.OnNext(a);
});
}
}
public void KqlOutputAction(KqlOutput obj)
{
OutputAction(obj.Output);
}
