Forum Discussion
ChristopherKerry
Mar 31, 2021Copper Contributor
Wildcard filtering using a watchlist
Hey all, I'm trying to do something like the below: Table
| where Dest !endswith ((_GetWatchlist('watchlist') | project Dest)) However I get an error saying that "StringNotEndsWith operato...
- Apr 01, 2021
ChristopherKerry Try surrounding the entire expression with not() as in
Heartbeat | where not(ComputerIP has_any("192.168.1.1"))
GaryBushey
Mar 31, 2021Bronze Contributor
ChristopherKerry !endswith is looking for a string value and you are passing in a table (which is what the _GetWatchlist returns)
Not sure how you would actually be able to do what you are attempting. Does your watchlist only have a single row?
ChristopherKerry
Apr 01, 2021Copper Contributor
Thanks Gary,
No it's got multiple rows. I had a look at has_any which seems similar to a contains but over multiple rows, but unfortunately there's not a version of !has_any .
No it's got multiple rows. I had a look at has_any which seems similar to a contains but over multiple rows, but unfortunately there's not a version of !has_any .
- GaryBusheyApr 01, 2021Bronze Contributor
ChristopherKerry Try surrounding the entire expression with not() as in
Heartbeat | where not(ComputerIP has_any("192.168.1.1"))
- ChristopherKerryApr 01, 2021Copper Contributor
That worked! Thanks Gary
For anyone trying to do the same thing - the resulting query looked like this:
Table | where not(Dest has_any ((_GetWatchlist('watchlist') | project Dest)))