how to use wildcard (*) for join parameter in KQL?

Luizao_f · ‎Aug 11 2021

Hi guys.

I'm racking my brain with this and would like some help. :)

I want to know how to use wildcard(*) for join union parameter.

I need to join two tables with the same names in the fields, however, some fields may come with the wildcard(*), since for this field I want all to be validated.

My exceptions table:

My data table:

When running, it doesn't bring anything in the result.

For this union, I want the 3 union fields to be considered, ie based on the exceptions table, if computer_name is Pc_01 and logon_type is 4, no matter what event_id is, this log should be displayed, since the field of eventi_id in the exception list is wildcard(*).

I'm not finding a way to solve this problem since the join condition only allows "==" and "and".

CliveWatson · ‎Aug 12 2021

@Luizao_f

It would have be nice to paste the example as text - so I didn't have to retype, but its was appreciated that you shared the example ;)
You probably need to union the results to see all matches, this will handle "*" - if I understand the question correctly.

let exp = datatable(Computer:string, Event_id:string, login_type:string)
[
'pc01','*',4,
'pc02','4648',4,
'*','60',60,
];
let win = datatable(Computer:string, Event_id:string, login_type:string)
[
'pc01','5059',4,
'pc02','4648',4,
'pc_03','60',1,
];
union exp, win
| summarize make_set(Event_id), make_set(login_type) by Computer

You then need to add your own logic to show the filtered view (i.e. replace the summarize line I used with lines of your own code)

example output

Computer	set_Event_id	set_login_type
pc01	["*","5059"]	["4"]
pc02	["4648"]	["4"]
*	["60"]	["60"]
pc_03	["60"]	["1"]

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

how to use wildcard (*) for join parameter in KQL?

how to use wildcard (*) for join parameter in KQL?

Re: how to use wildcard (*) for join parameter in KQL?