Skip to main content

V1 - Arguments Support at Runtime

FPL offers arguments support to allow customization of saved FPL reports at run-time. This functionality can be used for investigation purposes. For instance, the results from a Behavior Summary/Alert can be supplied to the FPL report for deeper analysis and reporting.

Command

Arguments are designated by the argument command.

Format / Usage

By convention, it is preferred that the argument start with two (2) underscores. Ex. __argumentname.

Example

function loginByApp()
  search
  let {username="userPrincipalName", clientApp="appDisplayName", city="location.city"} = f("@azureSignIn")
  aggregate  count=count(), cities=values(city) by clientApp
end

function loginByLocation()
  search
  let {IP="ipAddress"} = f("@azureSignIn")
  let {city, country="countryOrRegion", state,latitude="geoCoordinates.latitude", longitude="geoCoordinates.longitude"} = f("@azureSignIn.location") 
  aggregate  count=count(), city=max(city), country=max(country), state=max(state), latitude=max(latitude), longitude=max(longitude) by IP
end

argument __username "user@example.com"
argument __from  "-48h@h"
argument __to "@h"

env from=__from, to=__to, query=sContent("@event_type", "@azureSignIn") and sContent("@azureSignIn.userPrincipalName",__username) and sContent("@azureSignIn.status.errorCode", "0")

stream clientApps=loginByApp()
stream locations=loginByLocation()

Fluency Interface

Note: When building the FPL in the editor, a "default" value needs to be supploed for all arguments before the task will run. The supplied default value can be changed/removed from the Report scheduling page after the initial run, and when the report is saved.

All three arguments in the above example have 'default' values supplied.

argument __username "user@example.com"
argument __from  "-48h@h"
argument __to "@h"