Using functions in Azure Monitor log queries

To use a log query with another query you can save it as a function. This allows you to simplify complex queries by breaking them into parts and allows you to reuse common code with multiple queries.

Create a function

Create a function with Log Analytics in the Azure portal by clicking Save and then providing the information in the following table.

Setting Description
Name Display name for the query in Query explorer.
Save as Function
Function Alias Short name to use the function in other queries. May not contain spaces and must be unique.
Category A category to organize saved queries and functions in Query explorer.

Use a function

Use a function by including its alias in another query. It can be used like any other table.

Function parameters

You can add parameters to a function so that you can provide values for certain variables when calling it. The only way to currently create a function with parameters is using a Resource Manager template. See Resource Manager template samples for log queries in Azure Monitor for an example.


The following sample query returns all missing security updates reported in the last day. Save this query as a function with the alias security_updates_last_day.

| where TimeGenerated > ago(1d) 
| where Classification == "Security Updates" 
| where UpdateState == "Needed"

Create another query and reference the security_updates_last_day function to search for SQL-related needed security updates.

security_updates_last_day | where Title contains "SQL"

Next steps

See other lessons for writing Azure Monitor log queries: