SOLVED

Wildcard filtering using a watchlist

%3CLINGO-SUB%20id%3D%22lingo-sub-2246942%22%20slang%3D%22en-US%22%3EWildcard%20filtering%20using%20a%20watchlist%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2246942%22%20slang%3D%22en-US%22%3E%3CP%3EHey%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20trying%20to%20do%20something%20like%20the%20below%3A%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3ETable%0A%7C%20where%20Dest%20!endswith%20((_GetWatchlist('watchlist')%20%7C%20project%20Dest))%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%20I%20get%20an%20error%20saying%20that%26nbsp%3B%22%3CSPAN%3EStringNotEndsWith%20operator%20requires%20string%20arguments%22%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fhtml%2F%408341BD79091AF36AA2A09063B554B5CD%2Fimages%2Femoticons%2Fsmile_40x40.gif%22%20alt%3D%22%3Asmile%3A%22%20title%3D%22%3Asmile%3A%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EAny%20idea%20how%20to%20search%20a%20watchlist%20like%20this%3F%3F%20Many%20thanks%20in%20advance.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2247323%22%20slang%3D%22en-US%22%3ERe%3A%20Wildcard%20filtering%20using%20a%20watchlist%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2247323%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F998973%22%20target%3D%22_blank%22%3E%40ChristopherKerry%3C%2FA%3E%26nbsp%3B!endswith%20is%20looking%20for%20a%20string%20value%20and%20you%20are%20passing%20in%20a%20table%20(which%20is%20what%20the%20_GetWatchlist%20returns)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENot%20sure%20how%20you%20would%20actually%20be%20able%20to%20do%20what%20you%20are%20attempting.%26nbsp%3B%20Does%20your%20watchlist%20only%20have%20a%20single%20row%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2248533%22%20slang%3D%22en-US%22%3ERe%3A%20Wildcard%20filtering%20using%20a%20watchlist%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2248533%22%20slang%3D%22en-US%22%3EThanks%20Gary%2C%3CBR%20%2F%3E%3CBR%20%2F%3ENo%20it's%20got%20multiple%20rows.%20I%20had%20a%20look%20at%20has_any%20which%20seems%20similar%20to%20a%20contains%20but%20over%20multiple%20rows%2C%20but%20unfortunately%20there's%20not%20a%20version%20of%20!has_any%20.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2248773%22%20slang%3D%22en-US%22%3ERe%3A%20Wildcard%20filtering%20using%20a%20watchlist%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2248773%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F998973%22%20target%3D%22_blank%22%3E%40ChristopherKerry%3C%2FA%3E%26nbsp%3BTry%20surrounding%20the%20entire%20expression%20with%20not()%20as%20in%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3EHeartbeat%0A%7C%20where%20not(ComputerIP%20has_any(%22192.168.1.1%22))%3C%2FCODE%3E%3C%2FPRE%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hey all,

 

I'm trying to do something like the below:

Table
| where Dest !endswith ((_GetWatchlist('watchlist') | project Dest))

 

However I get an error saying that "StringNotEndsWith operator requires string arguments" :smile:

 

Any idea how to search a watchlist like this?? Many thanks in advance.

4 Replies

@ChristopherKerry !endswith is looking for a string value and you are passing in a table (which is what the _GetWatchlist returns)

 

Not sure how you would actually be able to do what you are attempting.  Does your watchlist only have a single row?

 

Thanks Gary,

No it's got multiple rows. I had a look at has_any which seems similar to a contains but over multiple rows, but unfortunately there's not a version of !has_any .
best response confirmed by ChristopherKerry (Occasional Contributor)
Solution

@ChristopherKerry Try surrounding the entire expression with not() as in 

Heartbeat
| where not(ComputerIP has_any("192.168.1.1"))

@Gary Bushey 

That worked! Thanks Gary

For anyone trying to do the same thing - the resulting query looked like this:

 

Table
| where not(Dest has_any ((_GetWatchlist('watchlist') | project Dest)))