Forum Discussion

Iron Contributor

Feb 10, 2020

Solved

query multiple "contains"

Greetings Community, I'm trying to come up with a way to query for multiple computers, but I have different strings to search for. For example: Heartbeat | where TimeGenerated >= ago(1h) | w...

Feb 10, 2020

Sorry for being slow on the uptake, string is the search criteria (or pattern match you want) within the computer name column? e.g.

Heartbeat
| extend CompBucket = case(Computer contains "aks", Computer, 
                           Computer contains "Con", Computer
                           ,"")
| where isnotempty(CompBucket)

Heartbeat
| where Computer contains "aks" 
     or Computer contains "Con"
| project Computer

steffen_zeidler

Copper Contributor

Oct 08, 2020

ScottAllison

Maybe you can use the operator has_any.

let ComputerTerms = pack_array('abcd', 'xyz0');
datatable (Computer:string)['abcd.123.com', 'def.xyz0.org', 'ijk.com']
| where Computer has_any (ComputerTerms)

Links to the Kusto query documentation:

https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/has-anyoperator

https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/datatypes-string-operators#what-is-a-term

SocInABox
Iron Contributor
May 01, 2023
has_any works in the case where you're matching a FULL word within a string.
so "the quick brown fox" - you can match on any of those words but not a partial word like "bro".
So great suggestion steffen!
Mancker
Copper Contributor
Oct 09, 2020
steffen_zeidler Thanks.