Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

KQL Syntax question

Bronze Contributor

I was looking at the KQL for one of the charts in a workbook and came across this statement that I cannot figure out what it does.

 

AppDisplayName in ('*'or '*' in ('*')
 
The full statement up to that part is 
 
let data = SigninLogs
    | extend AppDisplayName = iff(AppDisplayName == '''Unknown', AppDisplayName)
    | where AppDisplayName in ('*'or '*' in ('*')
 
Anyone know what that statement means?
3 Replies
best response confirmed by Gary Bushey (Bronze Contributor)
Solution

@Gary Bushey 

https://docs.microsoft.com/en-us/azure/kusto/query/inoperator

in allows you to to use a list.  so where AppDisplayName in ('*') is saying basically where appdisplayname is populated.

@Nicholas DiCola (SECURITY JEDI) So does

"*" in ("*")

Mean

A) If any column has data

B) if all columns have data

C) Something entirely different?

@Gary Bushey 

since its an or it should be A

1 best response

Accepted Solutions
best response confirmed by Gary Bushey (Bronze Contributor)
Solution

@Gary Bushey 

https://docs.microsoft.com/en-us/azure/kusto/query/inoperator

in allows you to to use a list.  so where AppDisplayName in ('*') is saying basically where appdisplayname is populated.

View solution in original post