Forum Discussion
how to use wildcard (*) for join parameter in KQL?
Hi guys. I'm racking my brain with this and would like some help. 🙂 I want to know how to use wildcard(*) for join union parameter. I need to join two tables with the same names in the fields, ho...
It would have be nice to paste the example as text - so I didn't have to retype, but its was appreciated that you shared the example 😉
You probably need to union the results to see all matches, this will handle "*" - if I understand the question correctly.
let exp = datatable(Computer:string, Event_id:string, login_type:string)
[
'pc01','*',4,
'pc02','4648',4,
'*','60',60,
];
let win = datatable(Computer:string, Event_id:string, login_type:string)
[
'pc01','5059',4,
'pc02','4648',4,
'pc_03','60',1,
];
union exp, win
| summarize make_set(Event_id), make_set(login_type) by Computer You then need to add your own logic to show the filtered view (i.e. replace the summarize line I used with lines of your own code)
example output
| Computer | set_Event_id | set_login_type |
|---|---|---|
| pc01 | ["*","5059"] | ["4"] |
| pc02 | ["4648"] | ["4"] |
| * | ["60"] | ["60"] |
| pc_03 | ["60"] | ["1"] |