cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Log Analytics Query

Deleted
Not applicable

‎Jul 12 2018 10:59 AM - last edited on ‎Apr 07 2022 05:14 PM by

‎Jul 12 2018 10:59 AM - last edited on ‎Apr 07 2022 05:14 PM by

Log Analytics Query

let ips = (){ "10.0.0.2" | "11.0.0.3" };
search *
| where ( StreamName_s !contains "clusters" )
| order by TimeGenerated
| project TimeGenerated, identity_s, CallerIPAddress
| where CallerIPAddress !contains ips
 
Would you please guide me how I can create a list of IP addresses and define a query to filter out the results which contain the item of the list?
Labels:
3,894 Views
0 Likes
1 Reply
Reply
1 Reply
Evgeny Ternovsky

‎Jul 12 2018 01:26 PM

‎Jul 12 2018 01:26 PM

Re: Log Analytics Query

Mohsen,

 

You're very close in your query. There are two things you need to fix: 1) the way you define your IP set, and 2) using the !in operator instead of !contains. The updated query will look as follows (I've commented two of the lines out as I don't have any data with the "streamname_s" or "identity_s" columns - you should uncomment them):

 

let ips = datatable(IP:string)[
    "10.0.0.2", 
    "11.0.0.3" 
];
search *
//| where ( StreamName_s !contains "clusters" )
| order by TimeGenerated
//| project TimeGenerated, identity_s, CallerIPAddress
| where CallerIPAddress !in (ips)

Using search *, however, is potentially misleading here: it will search across all your data and return any row where the CallerIPAddress column does not a value matching those two IPs. Practically, that means that any rows with an empty CallerIPAddress will also be returned, likely not the behaviour you're looking for. This means you'll likely want to add one further where statement:

let ips = datatable(IP:string)[
    "10.0.0.2", 
    "11.0.0.3" 
];
search *
//| where ( StreamName_s !contains "clusters" )
| order by TimeGenerated
//| project TimeGenerated, identity_s, CallerIPAddress
| where isnotempty(CallerIPAddress)
| where CallerIPAddress !in (ips)

I'd also urge you, for efficiency's sake, to use a particular table name, or a union of table names as your data source, rather than a search *. This'll ensure your queries run much quicker, and the results you see are much more focused.

 

Finally, check out the module on the let command and the in & !in operators on our Pluralsight course (free to watch after a free account registration) if you want to learn a bit more!

 

 

 

0 Likes
Reply