Forum Discussion

jainshamu's avatar
jainshamu
Copper Contributor
Sep 22, 2021

AND operator in KQL

How can we whitelist combination of columns using KQL. For Eg. I want to create exclusion like below:

 

| where column1 !contains "abc" and column2 !contains "qwe" and column3 !contains "xyz"

 

while this looks pretty straight forward but my observation is that it does not make exclusion based on above 3 combination of criteria.

 

Seems like I'm missing something very basic but not able to identify what.

  • GaryBushey's avatar
    GaryBushey
    Bronze Contributor
    Sep 22, 2021

    jainshamu You can always use multiple lines.

    | where column1 !contains "abc"
| where column2 !contains "qwe"
| where column3 !comtains "xyz"

     

    • CliveWatson's avatar
      CliveWatson
      Icon for Microsoft rankMicrosoft
      Sep 22, 2021

      GaryBushey 

       

      I would have expected the original query to work, similar example I use (slightly modified). 

       

      Usage
| where tostring(IsBillable) !contains "false" and 
        DataType !in("Operation", "Usage") and
        DataType !startswith "VM" and 
        Solution !contains "Log"
| summarize by DataType, Solution, IsBillable

       

      • GaryBushey's avatar
        GaryBushey
        Bronze Contributor
        Sep 22, 2021

        CliveWatson  Out of curiosity, Is there any benefit to using one way over the other?  Is one faster than the other?

  • jainshamu's avatar
    jainshamu
    Copper Contributor
    Sep 28, 2021
    While I could not unravel the mystery around use of !contains & AND operator, I finally managed to do achieve end result with something like

    | extend X = column1 contains "abc" and column2 contains "qwe" and column3 contains "xyz"
    | where X != true

Resources