Wildcard filtering using a watchlist

ChristopherKerry · ‎Mar 31 2021

Hey all,

I'm trying to do something like the below:

Table
| where Dest !endswith ((_GetWatchlist('watchlist') | project Dest))

However I get an error saying that "StringNotEndsWith operator requires string arguments"

Any idea how to search a watchlist like this?? Many thanks in advance.

Gary Bushey · ‎Mar 31 2021

@ChristopherKerry !endswith is looking for a string value and you are passing in a table (which is what the _GetWatchlist returns)

Not sure how you would actually be able to do what you are attempting. Does your watchlist only have a single row?

ChristopherKerry · ‎Apr 01 2021

Thanks Gary,

No it's got multiple rows. I had a look at has_any which seems similar to a contains but over multiple rows, but unfortunately there's not a version of !has_any .

ChristopherKerry · ‎Apr 01 2021

@ChristopherKerry Try surrounding the entire expression with not() as in

Heartbeat
| where not(ComputerIP has_any("192.168.1.1"))

ChristopherKerry · ‎Apr 01 2021

@Gary Bushey

That worked! Thanks Gary

For anyone trying to do the same thing - the resulting query looked like this:

Table
| where not(Dest has_any ((_GetWatchlist('watchlist') | project Dest)))

ChristopherKerry · ‎Apr 01 2021

@ChristopherKerry Try surrounding the entire expression with not() as in

Heartbeat
| where not(ComputerIP has_any("192.168.1.1"))

View solution in original post

Wildcard filtering using a watchlist

Wildcard filtering using a watchlist

Re: Wildcard filtering using a watchlist

Re: Wildcard filtering using a watchlist

Re: Wildcard filtering using a watchlist

Re: Wildcard filtering using a watchlist

Re: Wildcard filtering using a watchlist

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Wildcard filtering using a watchlist