Azure @ Enterprise - Writing custom functions in LogAnalytics KQL

Normally when we analyze web requests we encounter scenarios where the URLs have values such as GUID. That will cause little trouble when we want to aggregate. Without replacing those values if we aggregate, it will be showing many categories based on the cardinality of values. For example, if we are taking the max time taken by URL, it may be showing a different URL when with the GUID values and without GUID values.

In Azure world, we mainly use LogAnalytic, Application insights, etc... for storage and the Kusto Query Language (KQL hereafter) for querying data. The same problem of numbers and GUIDs in URLs will be a problem here as well.

The title of this post is not about replacing GUIDs using regular expressions. But the replacement of GUIDs is going to be demonstrated using a custom function in this post

Without GUID removal

Let us see a sample without filtering GUIDs

With GUID removal

Here goes the result of the GUID removal

In the above example we can see when we replace the GUID values, a new URL showed up. This is useful to decide what URL to optimize when we have limited time in hand.

GUID removal with function 

First, have an understanding of how to write user-defined functions in KQL and the difference between scalar and tabular functions.

Below goes the equivalent code with the function that replaces GUID values with string /GUID.

let GuidRegEx = '/[({]?[a-fA-F0-9]{8}[-]?([a-fA-F0-9]{4}[-]?){3}[a-fA-F0-9]{12}[})]?';
let RemoveGuid = (input:string) { replace(GuidRegEx, '/GUID', input) };
W3CIISLog
| extend URI = RemoveGuid(csUriStem)
| summarize count(),avg(TimeTaken) by URI
| top 5 by avg_TimeTaken

Happy coding.