{
  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "Workspace": {
      "type": "string",
      "metadata": {
        "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
      }
    },
    "WorkspaceRegion": {
      "type": "string",
      "defaultValue": "[resourceGroup().location]",
      "metadata": {
        "description": "The region of the selected workspace. The default value will use the Region selection above."
      }
    }
  },
  "resources": [
    {
      "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
      "apiVersion": "2020-08-01",
      "name": "[concat(parameters('Workspace'), '/ASimSchemaTester')]",
      "location": "[parameters('WorkspaceRegion')]",
      "properties": {
        "etag": "*",
        "displayName": "ASIM Schema tester",
        "category": "ASIM",
        "FunctionAlias": "ASimSchemaTester",
        "query": "let ASimFields = materialize(externaldata (ColumnName: string, ColumnType: string, Class: string, Schema: string, LogicalType:string, ListOfValues: string, AliasedField: string)\n  [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/ASIM/dev/ASimTester/ASimTester.csv\"] with (format=\"csv\", IgnoreFirstRecord=true)\n  | where Schema =~ selected_schema or Schema =~ \"Common\"\n  | extend _Priority = iif(Schema =~ selected_schema, 0, 1)\n  | summarize arg_min(_Priority, ColumnType, Class, Schema, LogicalType, ListOfValues, AliasedField) by ColumnName\n  | project-away _Priority);\nlet ASimFieldsWithAliases = materialize(ASimFields | project-rename SchemaColumn = ColumnName, SchemaType = ColumnType | lookup (ASimFields | project ParentClass = Class, ParentColumn = ColumnName) on $left.AliasedField == $right.ParentColumn);\nlet ParserFields = toscalar (T | summarize make_set(ColumnName));\nT\n| join kind=fullouter ASimFieldsWithAliases on $left.ColumnName == $right.SchemaColumn\n| extend Result = case(\n    ColumnName == \"\" and Class == \"Mandatory\",  strcat (\"(0) Error: Missing mandatory field [\", SchemaColumn, \"]\"),\n    ColumnName == \"\" and Class == \"Recommended\", strcat (\"(1) Warning: Missing recommended field [\", SchemaColumn, \"]\"),\n    ColumnName == \"\" and Class == \"Conditional\" and ParentClass == \"Mandatory\",\n        strcat (\"(0) Error: Missing field [\", SchemaColumn, \"] is mandatory when mandatory column [\", AliasedField, \"] exists\"),\n    ColumnName == \"\" and Class == \"Conditional\" and AliasedField in (ParserFields),\n        strcat (\"(0) Error: Missing field [\", SchemaColumn, \"] is mandatory when field [\", AliasedField, \"] exists\"),\n    ColumnName == \"\" and Class == \"Alias\",\n        case\n          (ParentClass == \"Mandatory\",\n                iff (AliasedField in (ParserFields),\n                    strcat (\"(0) Error: Missing mandatory alias [\", SchemaColumn, \"] aliasing existing column [\", AliasedField, \"]\"),\n                    strcat (\"(0) Error: Missing mandatory alias [\", SchemaColumn, \"] aliasing missing column [\", AliasedField, \"]\")\n                ),\n            ParentClass == \"Recommended\" ,\n                iff (AliasedField in (ParserFields),\n                    strcat (\"(0) Error: Missing recommended alias [\", SchemaColumn, \"] aliasing existing column [\", AliasedField, \"]\"),\n                    strcat (\"(2) Info: Missing recommended alias [\", SchemaColumn, \"] aliasing non-existent column [\", AliasedField, \"]\")\n                ),\n            // -- default: ParentClass is optional\n            iff (AliasedField in (ParserFields),\n                strcat (\"(0) Error: Missing optional alias [\", SchemaColumn, \"] aliasing existing column [\", AliasedField, \"]\"),\n                strcat (\"(2) Info: Missing optional alias [\", SchemaColumn, \"] aliasing non-existent column [\", AliasedField, \"]\")\n            )\n        ),\n    ColumnName == \"\" and Class == \"Optional\", strcat (\"(2) Info: Missing optional field [\", SchemaColumn, \"]\"),\n    SchemaColumn == \"\", strcat (\"(2) Info: extra unnormalized column [\", ColumnName, \"]\"),\n    ColumnName != \"\" and ColumnType != SchemaType, strcat (\"(0) Error: type mismatch for column [\", ColumnName, \"]. It is currently \", ColumnType, \" and should be \", SchemaType),\n    'None'\n    )\n| where Result != \"None\" | sort by Result asc | project Result",
        "version": 1,
        "functionParameters": "T:(ColumnName:string,ColumnType:string),selected_schema:string=''"
      }
    }
  ]
}