Forum Discussion
Solved
query multiple "contains"
Greetings Community, I'm trying to come up with a way to query for multiple computers, but I have different strings to search for. For example: Heartbeat
| where TimeGenerated >= ago(1h)
| w...
Sorry for being slow on the uptake, string is the search criteria (or pattern match you want) within the computer name column? e.g.
Heartbeat | extend CompBucket = case(Computer contains "aks", Computer, Computer contains "Con", Computer ,"") | where isnotempty(CompBucket)or
Heartbeat | where Computer contains "aks" or Computer contains "Con" | project Computer
Sorry for being slow on the uptake, string is the search criteria (or pattern match you want) within the computer name column? e.g.
Heartbeat
| extend CompBucket = case(Computer contains "aks", Computer,
Computer contains "Con", Computer
,"")
| where isnotempty(CompBucket)
or
Heartbeat
| where Computer contains "aks"
or Computer contains "Con"
| project Computer
Gotcha... it's all a little onerous, but I guess it's what I've got. It'd be nice to send an array instead of "or" or "case" statements. I'll add that as an enhancement.
Thanks again Clive!
Thanks again Clive!
ScottAllison I come across the same problem. Can you please share the solution based on array?
