I'm racking my brain with this and would like some help. :)
I want to know how to use wildcard(*) for join union parameter.
I need to join two tables with the same names in the fields, however, some fields may come with the wildcard(*), since for this field I want all to be validated.
My exceptions table:
My data table:
When running, it doesn't bring anything in the result.
For this union, I want the 3 union fields to be considered, ie based on the exceptions table, if computer_name is Pc_01 and logon_type is 4, no matter what event_id is, this log should be displayed, since the field of eventi_id in the exception list is wildcard(*).
I'm not finding a way to solve this problem since the join condition only allows "==" and "and".
It would have be nice to paste the example as text - so I didn't have to retype, but its was appreciated that you shared the example ;) You probably need to union the results to see all matches, this will handle "*" - if I understand the question correctly.
let exp = datatable(Computer:string, Event_id:string, login_type:string)
let win = datatable(Computer:string, Event_id:string, login_type:string)
union exp, win
| summarize make_set(Event_id), make_set(login_type) by Computer
You then need to add your own logic to show the filtered view (i.e. replace the summarize line I used with lines of your own code)