how to use wildcard (*) for join parameter in KQL?

Luizao_f · ‎Aug 11 2021

Hi guys.

I'm racking my brain with this and would like some help. :)

I want to know how to use wildcard(*) for join union parameter.

I need to join two tables with the same names in the fields, however, some fields may come with the wildcard(*), since for this field I want all to be validated.

My exceptions table:

My data table:

When running, it doesn't bring anything in the result.

For this union, I want the 3 union fields to be considered, ie based on the exceptions table, if computer_name is Pc_01 and logon_type is 4, no matter what event_id is, this log should be displayed, since the field of eventi_id in the exception list is wildcard(*).

I'm not finding a way to solve this problem since the join condition only allows "==" and "and".

Uri Barash · ‎Aug 29 2021

Try joining on the two mandatory fields using left or full outer and filter afterwards based on your complex criteria.

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

how to use wildcard (*) for join parameter in KQL?

how to use wildcard (*) for join parameter in KQL?

Re: how to use wildcard (*) for join parameter in KQL?