Forum Discussion
Solved
KQL Syntax question
I was looking at the KQL for one of the charts in a workbook and came across this statement that I cannot figure out what it does.
AppDisplayName in ('*') or '*' in ('*')
The full statement up to that part is
let data = SigninLogs
| extend AppDisplayName = iff(AppDisplayName == '', 'Unknown', AppDisplayName)
| where AppDisplayName in ('*') or '*' in ('*')
Anyone know what that statement means?
https://docs.microsoft.com/en-us/azure/kusto/query/inoperator
in allows you to to use a list. so where AppDisplayName in ('*') is saying basically where appdisplayname is populated.
- Nicholas DiCola (SECURITY JEDI)
Microsoft
https://docs.microsoft.com/en-us/azure/kusto/query/inoperator
in allows you to to use a list. so where AppDisplayName in ('*') is saying basically where appdisplayname is populated.
Nicholas DiCola (SECURITY JEDI) So does
"*" in ("*")
Mean
A) If any column has data
B) if all columns have data
C) Something entirely different?
- Nicholas DiCola (SECURITY JEDI)
since its an or it should be A
