Forum Discussion

ScottAllison's avatar
ScottAllison
Iron Contributor
Feb 10, 2020
Solved

query multiple "contains"

Greetings Community,   I'm trying to come up with a way to query for multiple computers, but I have different strings to search for. For example: Heartbeat | where TimeGenerated >= ago(1h) | w...
azure monitor
Query Language
  • CliveWatson's avatar
    CliveWatson
    Feb 10, 2020

    ScottAllison 

     

    Sorry for being slow on the uptake, string is the search criteria (or pattern match you want) within the computer name column? e.g.

    Heartbeat
| extend CompBucket = case(Computer contains "aks", Computer, 
                           Computer contains "Con", Computer
                           ,"")
| where isnotempty(CompBucket)

     

    or 

     

     

    Heartbeat
| where Computer contains "aks" 
     or Computer contains "Con"
| project Computer
steffen_zeidler's avatar
steffen_zeidler
Copper Contributor
Oct 08, 2020

ScottAllison 

Maybe you can use the operator has_any.

let ComputerTerms = pack_array('abcd', 'xyz0');
datatable (Computer:string)['abcd.123.com', 'def.xyz0.org', 'ijk.com']
| where Computer has_any (ComputerTerms)

Links to the Kusto query documentation:

https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/has-anyoperator
https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/datatypes-string-operators#what-is-a-term
SocInABox's avatar
SocInABox
Iron Contributor
May 01, 2023
has_any works in the case where you're matching a FULL word within a string.
so "the quick brown fox" - you can match on any of those words but not a partial word like "bro".
So great suggestion steffen!

Resources