how to use wildcard (*) for join parameter in KQL?


Hi guys.

I'm racking my brain with this and would like some help. :)

I want to know how to use wildcard(*) for join union parameter.

I need to join two tables with the same names in the fields, however, some fields may come with the wildcard(*), since for this field I want all to be validated.

My exceptions table:



My data table:



When running, it doesn't bring anything in the result.


For this union, I want the 3 union fields to be considered, ie based on the exceptions table, if computer_name is Pc_01 and logon_type is 4, no matter what event_id is, this log should be displayed, since the field of eventi_id in the exception list is wildcard(*).

I'm not finding a way to solve this problem since the join condition only allows "==" and "and".


1 Reply
Try joining on the two mandatory fields using left or full outer and filter afterwards based on your complex criteria.