how to use wildcard (*) for join parameter in KQL?

Question

Hi guys.I'm racking my brain with this and would like some help. 🙂I want to know how to use wildcard(*) for join union parameter.I need to join two tables with the same names in the fields, however, some fields may come with the wildcard(*), since for this field I want all to be validated.My exceptions table: &nbsp;My data table:&nbsp;When running, it doesn't bring anything in the result.For this union, I want the 3 union fields to be considered, ie based on the exceptions table, if computer_name is Pc_01 and logon_type is 4, no matter what event_id is, this log should be displayed, since the field of eventi_id in the exception list is wildcard(*).I'm not finding a way to solve this problem since the join condition only allows "==" and "and".&nbsp;

clivewatson · Answer

Luizao_f&nbsp;
&nbsp;
It would have be nice to paste the example as text - so I didn't have to retype, but its was appreciated that you shared the example 😉You probably need to union the results to see all matches, this will handle "*" - if I understand the question correctly.
&nbsp;
let exp = datatable(Computer:string, Event_id:string, login_type:string)
[
'pc01','*',4,
'pc02','4648',4,
'*','60',60,
];
let win = datatable(Computer:string, Event_id:string, login_type:string)
[
'pc01','5059',4,
'pc02','4648',4,
'pc_03','60',1,
];
union exp, win
| summarize make_set(Event_id), make_set(login_type) by Computer
&nbsp;You then need to add your own logic to show the filtered view (i.e. replace the summarize line I used with lines of your own code)&nbsp;
example output
&nbsp;

Computer
set_Event_id
set_login_type

pc01
["*","5059"]
["4"]

pc02
["4648"]
["4"]

*
["60"]
["60"]

pc_03
["60"]
["1"]

&nbsp;

Forum Discussion

how to use wildcard (*) for join parameter in KQL?

1 Reply

Resources

Computer	set_Event_id	set_login_type
pc01	["*","5059"]	["4"]
pc02	["4648"]	["4"]
*	["60"]	["60"]
pc_03	["60"]	["1"]