Forum Discussion

Aaron_Platek's avatar
Aaron_Platek
Copper Contributor
Nov 06, 2022

KQL projecting columns from a Table and a Watchlist

I have been beating my head on this. I have been trying to project just the columns I need from a table and a watchlist, for example:

DeviceInfo
| where DeviceName == "dc1.lab.com"
| lookup kindinner _GetWatchlist('Device_Name')
on $left.host_s == right.SearchKey

 

From here I would like to project columns from the DeviceInfo table and the Watchlist table, but it does not populate the columns from the watchlist only from the column. Can anyone point me in the right direction?

KQL

2 Replies

Sort By
  • GBushey's avatar
    GBushey
    Icon for Microsoft rankMicrosoft
    Nov 07, 2022
    "lookup" is more of a matching operator. If you want to have the columns from the watchlist show up, use a "join" command.
    • Aaron_Platek's avatar
      Aaron_Platek
      Copper Contributor
      Nov 07, 2022
      So, I realized when I got to work this morning that you can use the project. The problem I realized is that you can't tab complete columns from a watchlist since it is not pre-loaded data.

      Thank you for the post! Still trying to get better at KQL and understanding the entire environment

Resources