Merge pull request #202958 from oshezaf/asim/add-schema-identi-to-parser-tester

asim/add-schema-identi-to-parser-tester

Author: PRMerger12

articles/sentinel/normalization-develop-parsers.md

@@ -426,9 +426,15 @@ Handle the results as follows:
 To make sure that your parser produces valid values, use the ASIM data tester by running the following query in the Microsoft Sentinel **Logs** page:
 
   ```KQL
-  <parser name> | limit <X> | invoke ASimDataTester('<schema>')
+  <parser name> | limit <X> | invoke ASimDataTester ( ['<schema>'] )
   ```
 
+Specifying a schema is optional. If a schema is not specified, the `EventSchema` field is used to identify the schema the event should adhere to. Ig an event does not include an `EventSchema` field, only common fields will be verified. If a schema is specified as a parameter, this schema will be used to test all records. This is useful for older parsers that do not set the `EventSchema` field. 
+
+> [!NOTE]
+> Even when a schema is not specified, empty parentheses are needed after the function name.
+>
+
 This test is resource intensive and may not work on your entire data set. Set X to the largest number for which the query will not time out, or set the time range for the query using the time range picker.
 
 Handle the results as follows: