KQL | where User !in (AuditSearch)

Question

Hi,&nbsp;I'm searching through AuditLogs to check for a previous event and using the let statement to assign to a temporary table called AuditSearch.&nbsp;Another search of the AuditLog is being done with following where statement to see if a previous entry exists.&nbsp; This works Ok if a record is added to the temporary table, however if no records are there and is empty the where statement doesn't work.&nbsp;Q what is what the best way to either- check for the temporary table has no recordsor add a dummy record to the table.&nbsp; as long as something exists it works doesnt need to match.&nbsp;| where&nbsp;| where User !in (AuditSearch)&nbsp;&nbsp;thanks&nbsp;Lee

finchl1973 · Answer

Hi,Decided to use a table join with rightanti which shows the results whereby second search doesn't appear in first search and also works if first search doesn't find any results (which the !in didnt work for that scenario)

clive_watson · Answer

finchl1973&nbsp;&nbsp;Perhaps create a fake table and use Union isfuzzy=true to handle the error?&nbsp;&nbsp;let AuditSearch = materialize ( AuditLogs 
                | distinct OperationName);
let fake_   = datatable (name:string)['fake value'];
union isfuzzy=true AuditSearch, fake_
//| extend OperationName = "This is not in the original" /// supply a made up value 
| where OperationName !in (AuditSearch)
| distinct OperationName&nbsp;

finchl1973 · Answer

Clive_Watson&nbsp;&nbsp;Thanks will take a look.

Forum Discussion

KQL | where User !in (AuditSearch)

Resources