Forum Discussion
Solved
Wildcard filtering using a watchlist
Hey all,
I'm trying to do something like the below:
Table
| where Dest !endswith ((_GetWatchlist('watchlist') | project Dest))
However I get an error saying that "StringNotEndsWith operator requires string arguments" 
Any idea how to search a watchlist like this?? Many thanks in advance.
ChristopherKerry Try surrounding the entire expression with not() as in
Heartbeat | where not(ComputerIP has_any("192.168.1.1"))
4 Replies
ChristopherKerry !endswith is looking for a string value and you are passing in a table (which is what the _GetWatchlist returns)
Not sure how you would actually be able to do what you are attempting. Does your watchlist only have a single row?
- Thanks Gary,
No it's got multiple rows. I had a look at has_any which seems similar to a contains but over multiple rows, but unfortunately there's not a version of !has_any .ChristopherKerry Try surrounding the entire expression with not() as in
Heartbeat | where not(ComputerIP has_any("192.168.1.1"))
