Description

In Log Analytics, a call to 'make-graph' operator at the end of a custom build_graph lambda function to return the produced graph fails with the following error :
Unknown function: 'build_graph'.
Request id: 9b114b20-1503-4dec-8795-42d70154d2ed"

I try to define general purpose function to build a process directed graph based on a predefined table, to then filter freely on target results.

cf code below,.

Code to get the error

let Data = datatable (Computer:string, process_parent_command_line:string, process_command_line:string)[
"ComputerA", "root cmd", "cmd lvl1",
"ComputerA", "cmd lvl1", "cmd lvl2",
"ComputerA", "cmd lvl1", "cmd lvl1.2",
"ComputerA", "cmd lvl2", "cmd lvl3",
"ComputerA", "cmd lvl3", "cmd /C evil lvl4",
"ComputerA", "cmd /C evil lvl4", "cmd evil lvl5",
"ComputerA", "cmd evil lvl5", "cmd lvl6"
]
;
let build_graph = (T:(process_parent_command_line:string, process_command_line:string, Computer:string)){
T
| extend parent_id = strcat(Computer, process_parent_command_line), child_id = strcat(Computer, process_command_line)
| as hint.materialized=true data
| make-graph parent_id --> child_id
with (data
| mv-expand node_id = pack_array(parent_id, child_id ) to typeof(string)
| summarize take_any() by node_id
) on node_id
// Uncommenting rows below dosen't raise any error. Goal would be rather to use this after the build_graph function call.
//| graph-match (parent)-[edge1..10]->(child)
//// where child.process_command_line has "evil"
// project root_cmd = parent.process_parent_command_line,
// in_between = edge.process_parent_command_line,
// lowest_child = child.process_command_line
}
;
Data
| invoke build_graph() // fail as long as no graph-match is part of the defined func

Thanks for reporting @JiTmun , the issue has been fixed. The fix will be deployed in a couple of weeks.

thanks