SOLVED
Home

KQL Syntax question

%3CLINGO-SUB%20id%3D%22lingo-sub-895232%22%20slang%3D%22en-US%22%3EKQL%20Syntax%20question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-895232%22%20slang%3D%22en-US%22%3E%3CP%3EI%20was%20looking%20at%20the%20KQL%20for%20one%20of%20the%20charts%20in%20a%20workbook%20and%20came%20across%20this%20statement%20that%20I%20cannot%20figure%20out%20what%20it%20does.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3EAppDisplayName%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ein%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B(%3C%2FSPAN%3E%3CSPAN%3E'*'%3C%2FSPAN%3E%3CSPAN%3E)%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Eor%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E'*'%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ein%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B(%3C%2FSPAN%3E%3CSPAN%3E'*'%3C%2FSPAN%3E%3CSPAN%3E)%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EThe%20full%20statement%20up%20to%20that%20part%20is%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3Elet%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3Bdata%26nbsp%3B%3D%26nbsp%3BSigninLogs%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3CSPAN%3E%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Eextend%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BAppDisplayName%26nbsp%3B%3D%26nbsp%3Biff(AppDisplayName%26nbsp%3B%3D%3D%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E''%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E'Unknown'%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3BAppDisplayName)%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3CSPAN%3E%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BAppDisplayName%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ein%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B(%3C%2FSPAN%3E%3CSPAN%3E'*'%3C%2FSPAN%3E%3CSPAN%3E)%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Eor%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E'*'%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ein%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B(%3C%2FSPAN%3E%3CSPAN%3E'*'%3C%2FSPAN%3E%3CSPAN%3E)%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EAnyone%20know%20what%20that%20statement%20means%3F%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-899649%22%20slang%3D%22en-US%22%3ERe%3A%20KQL%20Syntax%20question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-899649%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fkusto%2Fquery%2Finoperator%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fkusto%2Fquery%2Finoperator%3C%2FA%3E%3C%2FP%3E%0A%3CP%3Ein%20allows%20you%20to%20to%20use%20a%20list.%26nbsp%3B%20so%20where%20AppDisplayName%20in%20('*')%20is%20saying%20basically%20where%20appdisplayname%20is%20populated.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-900795%22%20slang%3D%22en-US%22%3ERe%3A%20KQL%20Syntax%20question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-900795%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F2864%22%20target%3D%22_blank%22%3E%40Nicholas%20DiCola%20(SECURITY%20JEDI)%3C%2FA%3E%26nbsp%3BSo%20does%3C%2FP%3E%3CP%3E%22*%22%20in%20(%22*%22)%3C%2FP%3E%3CP%3EMean%3C%2FP%3E%3CP%3EA)%20If%20any%20column%20has%20data%3C%2FP%3E%3CP%3EB)%20if%20all%20columns%20have%20data%3C%2FP%3E%3CP%3EC)%20Something%20entirely%20different%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-900831%22%20slang%3D%22en-US%22%3ERe%3A%20KQL%20Syntax%20question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-900831%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Esince%20its%20an%20or%20it%20should%20be%20A%3C%2FP%3E%3C%2FLINGO-BODY%3E
Gary Bushey
Contributor

I was looking at the KQL for one of the charts in a workbook and came across this statement that I cannot figure out what it does.

 

AppDisplayName in ('*'or '*' in ('*')
 
The full statement up to that part is 
 
let data = SigninLogs
    | extend AppDisplayName = iff(AppDisplayName == '''Unknown', AppDisplayName)
    | where AppDisplayName in ('*'or '*' in ('*')
 
Anyone know what that statement means?
3 Replies
Solution

@Gary Bushey 

https://docs.microsoft.com/en-us/azure/kusto/query/inoperator

in allows you to to use a list.  so where AppDisplayName in ('*') is saying basically where appdisplayname is populated.

@Nicholas DiCola (SECURITY JEDI) So does

"*" in ("*")

Mean

A) If any column has data

B) if all columns have data

C) Something entirely different?

@Gary Bushey 

since its an or it should be A

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
30 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies