Microsoft Security Tech Accelerator
Dec 06 2023, 07:00 AM - 12:00 PM (PST)
Microsoft Tech Community

how to use wildcard (*) for join parameter in KQL?

Brass Contributor

Hi guys.

I'm racking my brain with this and would like some help. :)

I want to know how to use wildcard(*) for join union parameter.

I need to join two tables with the same names in the fields, however, some fields may come with the wildcard(*), since for this field I want all to be validated.

My exceptions table:



My data table:



When running, it doesn't bring anything in the result.


For this union, I want the 3 union fields to be considered, ie based on the exceptions table, if computer_name is Pc_01 and logon_type is 4, no matter what event_id is, this log should be displayed, since the field of eventi_id in the exception list is wildcard(*).

I'm not finding a way to solve this problem since the join condition only allows "==" and "and".


1 Reply



It would have be nice to paste the example as text - so I didn't have to retype, but its was appreciated that you shared the example ;)
You probably need to union the results to see all matches, this will handle "*" - if I understand the question correctly.


let exp = datatable(Computer:string, Event_id:string, login_type:string)
let win = datatable(Computer:string, Event_id:string, login_type:string)
union exp, win
| summarize make_set(Event_id), make_set(login_type) by Computer

 You then need to add your own logic to show the filtered view (i.e. replace the summarize line I used with lines of your own code) 

example output


Computer set_Event_id set_login_type
pc01 ["*","5059"] ["4"]
pc02 ["4648"] ["4"]
* ["60"] ["60"]
pc_03 ["60"] ["1"]