SOLVED

query multiple "contains"

%3CLINGO-SUB%20id%3D%22lingo-sub-1164287%22%20slang%3D%22en-US%22%3Equery%20multiple%20%22contains%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1164287%22%20slang%3D%22en-US%22%3E%3CP%3EGreetings%20Community%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20trying%20to%20come%20up%20with%20a%20way%20to%20query%20for%20multiple%20computers%2C%20but%20I%20have%20different%20strings%20to%20search%20for.%20For%20example%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CPRE%3E%3CSPAN%20class%3D%22csl-table%22%3EHeartbeat%3C%2FSPAN%3E%0A%7C%20%3CSPAN%20class%3D%22csl-operator%22%3Ewhere%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22csl-column%22%3ETimeGenerated%3C%2FSPAN%3E%20%26gt%3B%3D%20%3CSPAN%20class%3D%22csl-function%22%3Eago%3C%2FSPAN%3E(1h)%0A%7C%20%3CSPAN%20class%3D%22csl-operator%22%3Ewhere%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22csl-column%22%3EComputer%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22csl-suboperator%22%3Econtains%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22csl-string-literal%22%3E'ACOMPUTER1'%3C%2FSPAN%3E%0A%7C%20%3CSPAN%20class%3D%22csl-operator%22%3Esummarize%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22csl-function%22%3Emax%3C%2FSPAN%3E(%3CSPAN%20class%3D%22csl-column%22%3ETimeGenerated%3C%2FSPAN%3E)%20%3CSPAN%20class%3D%22csl-command%22%3Eby%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22csl-column%22%3EComputer%3C%2FSPAN%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3BI%20can%20run%20this%20query%20but%20I%20have%20to%20execute%20it%20for%20a%20different%20string%20each%20time%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%3E%3CSPAN%20class%3D%22csl-table%22%3EHeartbeat%3C%2FSPAN%3E%0A%7C%20%3CSPAN%20class%3D%22csl-operator%22%3Ewhere%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22csl-column%22%3ETimeGenerated%3C%2FSPAN%3E%20%26gt%3B%3D%20%3CSPAN%20class%3D%22csl-function%22%3Eago%3C%2FSPAN%3E(1h)%0A%7C%20%3CSPAN%20class%3D%22csl-operator%22%3Ewhere%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22csl-column%22%3EComputer%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22csl-suboperator%22%3Econtains%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22csl-string-literal%22%3E'ACOMPUTER1'%3C%2FSPAN%3E%0A%7C%20%3CSPAN%20class%3D%22csl-operator%22%3Esummarize%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22csl-function%22%3Emax%3C%2FSPAN%3E(%3CSPAN%20class%3D%22csl-column%22%3ETimeGenerated%3C%2FSPAN%3E)%20%3CSPAN%20class%3D%22csl-command%22%3Eby%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22csl-column%22%3EComputer%3C%2FSPAN%3E%3C%2FPRE%3E%3CPRE%3E%3CSPAN%20class%3D%22csl-table%22%3EHeartbeat%3C%2FSPAN%3E%0A%7C%20%3CSPAN%20class%3D%22csl-operator%22%3Ewhere%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22csl-column%22%3ETimeGenerated%3C%2FSPAN%3E%20%26gt%3B%3D%20%3CSPAN%20class%3D%22csl-function%22%3Eago%3C%2FSPAN%3E(1h)%0A%7C%20%3CSPAN%20class%3D%22csl-operator%22%3Ewhere%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22csl-column%22%3EComputer%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22csl-suboperator%22%3Econtains%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22csl-string-literal%22%3E'SERVERABC'%3C%2FSPAN%3E%0A%7C%20%3CSPAN%20class%3D%22csl-operator%22%3Esummarize%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22csl-function%22%3Emax%3C%2FSPAN%3E(%3CSPAN%20class%3D%22csl-column%22%3ETimeGenerated%3C%2FSPAN%3E)%20%3CSPAN%20class%3D%22csl-command%22%3Eby%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22csl-column%22%3EComputer%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FPRE%3E%3CPRE%3E%3CSPAN%20class%3D%22csl-table%22%3EHeartbeat%3C%2FSPAN%3E%0A%7C%20%3CSPAN%20class%3D%22csl-operator%22%3Ewhere%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22csl-column%22%3ETimeGenerated%3C%2FSPAN%3E%20%26gt%3B%3D%20%3CSPAN%20class%3D%22csl-function%22%3Eago%3C%2FSPAN%3E(1h)%0A%7C%20%3CSPAN%20class%3D%22csl-operator%22%3Ewhere%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22csl-column%22%3EComputer%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22csl-suboperator%22%3Econtains%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22csl-string-literal%22%3E'THISMACHINE_B'%3C%2FSPAN%3E%0A%7C%20%3CSPAN%20class%3D%22csl-operator%22%3Esummarize%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22csl-function%22%3Emax%3C%2FSPAN%3E(%3CSPAN%20class%3D%22csl-column%22%3ETimeGenerated%3C%2FSPAN%3E)%20%3CSPAN%20class%3D%22csl-command%22%3Eby%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22csl-column%22%3EComputer%3C%2FSPAN%3E%3C%2FPRE%3E%3CP%3E%3CBR%20%2F%3EIs%20there%20a%20way%20to%20go%20through%20multiple%20%22contains%22%20or%20%22has%22%20statements%20in%20a%20single%20query%3F%20Was%20thinking%20that%20I'd%20have%20to%20build%20an%20array%20in%20a%20function%20or%20something...%20any%20help%20is%20appreciated.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1164287%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EQuery%20Language%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1164304%22%20slang%3D%22en-US%22%3ERe%3A%20query%20multiple%20%22contains%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1164304%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F151992%22%20target%3D%22_blank%22%3E%40Scott%20Allison%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELike%20this%20%3F%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3EHeartbeat%0A%7C%20where%20TimeGenerated%20%26gt%3B%3D%20ago(1h)%0A%7C%20where%20Computer%20in%20('ACOMPUTER1'%2C%20'SERVERABC')%0A%7C%20summarize%20max(TimeGenerated)%20by%20Computer%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3Eor%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3Elet%20cList%20%3D%20dynamic(%5B%22ContosoASCAlert%22%2C%20%22ContosoAzLnx1%22%5D)%3B%0AHeartbeat%0A%7C%20where%20TimeGenerated%20%26gt%3B%3D%20ago(1h)%0A%7C%20where%20Computer%20in%20(cList)%0A%7C%20summarize%20max(TimeGenerated)%20by%20Computer%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eor%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3EHeartbeat%0A%7C%20where%20TimeGenerated%20%26gt%3B%3D%20ago(1h)%0A%7C%20where%20Computer%20startswith%20%22cont%22%0A%7C%20summarize%20max(TimeGenerated)%20by%20Computer%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1164369%22%20slang%3D%22en-US%22%3ERe%3A%20query%20multiple%20%22contains%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1164369%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3BNo.%20I%20want%20to%20look%20in%20COMPUTER%20for%20multiple%20possible%20strings%20in%20a%20single%20query%2C%20much%20like%20the%20%22contains%22%20operator.%20For%20example%2C%20my%20%22dream%22%20query%20would%20have%20the%20following%20fake%20operator%20(contains_in)%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CPRE%3E%3CSPAN%20class%3D%22csl-table%22%3EHeartbeat%3C%2FSPAN%3E%0A%7C%20%3CSPAN%20class%3D%22csl-operator%22%3Ewhere%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22csl-column%22%3ETimeGenerated%3C%2FSPAN%3E%20%26gt%3B%3D%20%3CSPAN%20class%3D%22csl-function%22%3Eago%3C%2FSPAN%3E(1h)%0A%7C%20%3CSPAN%20class%3D%22csl-operator%22%3Ewhere%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22csl-column%22%3EComputer%3C%2FSPAN%3E%20%3CSTRONG%3E%3CSPAN%20class%3D%22csl-calculated-column%22%3Econtains_in%3C%2FSPAN%3E%20%3C%2FSTRONG%3E(%3CSPAN%20class%3D%22csl-string-literal%22%3E'ACOMPUTER1'%3C%2FSPAN%3E%2C%20%3CSPAN%20class%3D%22csl-string-literal%22%3E'SERVERABC'%3C%2FSPAN%3E)%0A%7C%20%3CSPAN%20class%3D%22csl-operator%22%3Esummarize%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22csl-function%22%3Emax%3C%2FSPAN%3E(%3CSPAN%20class%3D%22csl-function%22%3ETimeGenerated%3C%2FSPAN%3E)%20%3CSPAN%20class%3D%22csl-command%22%3Eby%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22csl-calculated-column%22%3EComputer%3C%2FSPAN%3E%3C%2FPRE%3E%3CP%3EI%20know%20this%20doesn't%20exist%2C%20but%20I%20was%20hoping%20to%20fake%20it.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EFor%20background%2C%20we%20have%2015%2C000%20computers%20across%20multiple%20domains%20(and%20growing)%20and%20the%20computers%20mostly%20show%20up%20as%20FQDNs%2C%20but%20some%20as%20short%20names.%20Also%2C%20they%20are%20added%20in%20multiple%20cases%20(some%20all%20lower%2C%20some%20all%20upper).%20So%20a%20%22Computer%20in%22%20statement%20will%20never%20work%20for%20this%20scenario%20if%20we%20don't%20know%20the%20FQDN%20or%20if%20it%20is%20even%20listed%20as%20FQDN.%20The%20best%20way%20is%20to%20just%20search%20for%20the%20short%20name%20using%20%22contains%22%20or%20%22has%22%2C%20but%20again%2C%20for%20multiple%20strings%20(I%20have%20a%20current%20use%20case%20for%20about%2012%20different%20strings).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1164407%22%20slang%3D%22en-US%22%3ERe%3A%20query%20multiple%20%22contains%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1164407%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F151992%22%20target%3D%22_blank%22%3E%40Scott%20Allison%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3EHeartbeat%0A%7C%20where%20Computer%20in%20(%22ContosoASCAlert%22%2C%20%22ContosoAzLnx1%22%2C%22ContosoWeb1.ContosoRetail.com%22)%20%0A%7C%20extend%20Computer%20%3D%20split(Computer%2C%22.%22).%5B0%5D%0A%7C%20summarize%20max(TimeGenerated)%20by%20tolower(tostring(Computer))%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3EWhat%20if%20we%20lowercase%20all%20machines%20and%20ignore%20the%20FQDN%3F%26nbsp%3B%20%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1164453%22%20slang%3D%22en-US%22%3ERe%3A%20query%20multiple%20%22contains%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1164453%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F151992%22%20target%3D%22_blank%22%3E%40Scott%20Allison%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3EHeartbeat%0A%7C%20where%20Computer%20in~%20(%22ContosoASCALERT%22%2C%20%22ContosoAzLnx1%22%2C%22ContosoWeb1.ContosoRetail.com%22)%20%0A%7C%20extend%20Computer%20%3D%20split(Computer%2C%22.%22).%5B0%5D%0A%7C%20summarize%20max(TimeGenerated)%20by%20%20tostring(Computer)%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3BSorry%2C%20best%20practice%20would%20be%20to%20use%20%22in~%22%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1164507%22%20slang%3D%22en-US%22%3ERe%3A%20query%20multiple%20%22contains%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1164507%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EReturns%20zero%20results%20because%20the%20%22in~%22%20string%20operator%20means%20'Equals%20to%20one%20of%20the%20elements'%20(according%20to%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fkusto%2Fquery%2Fdatatypes-string-operators%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Edocumentation%3C%2FA%3E).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20do%20not%20need%20%22equals%22...%20I%20need%20%22contains%22.%20I%20am%20not%20looking%20for%20full%20names--only%20partials.%20And%20again%2C%20about%2012%20different%20strings%20I%20want%20to%20search.%20If%20I%20could%20simply%20provide%20a%20list%20of%20strings%20to%20search%2C%20and%20then%20have%20the%20query%20look%20at%20each%20of%20those%20strings%20and%20find%20matches%20in%20the%20Computer%20column%2C%20that's%20all%20I%20need.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1164553%22%20slang%3D%22en-US%22%3ERe%3A%20query%20multiple%20%22contains%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1164553%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F151992%22%20target%3D%22_blank%22%3E%40Scott%20Allison%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESorry%20for%20being%20slow%20on%20the%20uptake%2C%20string%20is%20the%20search%20criteria%20(or%20pattern%20match%20you%20want)%20within%20the%20computer%20name%20column%3F%20e.g.%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3EHeartbeat%0A%7C%20extend%20CompBucket%20%3D%20case(Computer%20contains%20%22aks%22%2C%20Computer%2C%20%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20Computer%20contains%20%22Con%22%2C%20Computer%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2C%22%22)%0A%7C%20where%20isnotempty(CompBucket)%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eor%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3EHeartbeat%0A%7C%20where%20Computer%20contains%20%22aks%22%20%0A%20%20%20%20%20or%20Computer%20contains%20%22Con%22%0A%7C%20project%20Computer%3C%2FCODE%3E%3C%2FPRE%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1164828%22%20slang%3D%22en-US%22%3ERe%3A%20query%20multiple%20%22contains%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1164828%22%20slang%3D%22en-US%22%3EGotcha...%20it's%20all%20a%20little%20onerous%2C%20but%20I%20guess%20it's%20what%20I've%20got.%20It'd%20be%20nice%20to%20send%20an%20array%20instead%20of%20%22or%22%20or%20%22case%22%20statements.%20I'll%20add%20that%20as%20an%20enhancement.%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%20again%20Clive!%3C%2FLINGO-BODY%3E
Highlighted
Frequent Contributor

Greetings Community,

 

I'm trying to come up with a way to query for multiple computers, but I have different strings to search for. For example:

Heartbeat
| where TimeGenerated >= ago(1h)
| where Computer contains 'ACOMPUTER1'
| summarize max(TimeGenerated) by Computer

 I can run this query but I have to execute it for a different string each time:

 

Heartbeat
| where TimeGenerated >= ago(1h)
| where Computer contains 'ACOMPUTER1'
| summarize max(TimeGenerated) by Computer
Heartbeat
| where TimeGenerated >= ago(1h)
| where Computer contains 'SERVERABC'
| summarize max(TimeGenerated) by Computer
Heartbeat
| where TimeGenerated >= ago(1h)
| where Computer contains 'THISMACHINE_B'
| summarize max(TimeGenerated) by Computer


Is there a way to go through multiple "contains" or "has" statements in a single query? Was thinking that I'd have to build an array in a function or something... any help is appreciated.

7 Replies
Highlighted

@Scott Allison 

 

Like this ?

Heartbeat
| where TimeGenerated >= ago(1h)
| where Computer in ('ACOMPUTER1', 'SERVERABC')
| summarize max(TimeGenerated) by Computer

or

let cList = dynamic(["ContosoASCAlert", "ContosoAzLnx1"]);
Heartbeat
| where TimeGenerated >= ago(1h)
| where Computer in (cList)
| summarize max(TimeGenerated) by Computer

 

or

 

Heartbeat
| where TimeGenerated >= ago(1h)
| where Computer startswith "cont"
| summarize max(TimeGenerated) by Computer

 

 

Highlighted

@Clive Watson No. I want to look in COMPUTER for multiple possible strings in a single query, much like the "contains" operator. For example, my "dream" query would have the following fake operator (contains_in):

Heartbeat
| where TimeGenerated >= ago(1h)
| where Computer contains_in ('ACOMPUTER1', 'SERVERABC')
| summarize max(TimeGenerated) by Computer

I know this doesn't exist, but I was hoping to fake it.

For background, we have 15,000 computers across multiple domains (and growing) and the computers mostly show up as FQDNs, but some as short names. Also, they are added in multiple cases (some all lower, some all upper). So a "Computer in" statement will never work for this scenario if we don't know the FQDN or if it is even listed as FQDN. The best way is to just search for the short name using "contains" or "has", but again, for multiple strings (I have a current use case for about 12 different strings).

Highlighted

@Scott Allison 

 

Heartbeat
| where Computer in ("ContosoASCAlert", "ContosoAzLnx1","ContosoWeb1.ContosoRetail.com") 
| extend Computer = split(Computer,".").[0]
| summarize max(TimeGenerated) by tolower(tostring(Computer))

What if we lowercase all machines and ignore the FQDN?   

Highlighted

@Scott Allison 

 

Heartbeat
| where Computer in~ ("ContosoASCALERT", "ContosoAzLnx1","ContosoWeb1.ContosoRetail.com") 
| extend Computer = split(Computer,".").[0]
| summarize max(TimeGenerated) by  tostring(Computer)

 Sorry, best practice would be to use "in~" 

Highlighted

@Clive Watson 

Returns zero results because the "in~" string operator means 'Equals to one of the elements' (according to documentation).

 

I do not need "equals"... I need "contains". I am not looking for full names--only partials. And again, about 12 different strings I want to search. If I could simply provide a list of strings to search, and then have the query look at each of those strings and find matches in the Computer column, that's all I need.

Highlighted
Solution

@Scott Allison 

 

Sorry for being slow on the uptake, string is the search criteria (or pattern match you want) within the computer name column? e.g.

Heartbeat
| extend CompBucket = case(Computer contains "aks", Computer, 
                           Computer contains "Con", Computer
                           ,"")
| where isnotempty(CompBucket)

 

or 

 

 

Heartbeat
| where Computer contains "aks" 
     or Computer contains "Con"
| project Computer
Highlighted
Gotcha... it's all a little onerous, but I guess it's what I've got. It'd be nice to send an array instead of "or" or "case" statements. I'll add that as an enhancement.

Thanks again Clive!