Mar 31 2021 06:29 AM
Hey all,
I'm trying to do something like the below:
Table
| where Dest !endswith ((_GetWatchlist('watchlist') | project Dest))
However I get an error saying that "StringNotEndsWith operator requires string arguments"
Any idea how to search a watchlist like this?? Many thanks in advance.
Mar 31 2021 09:44 AM
@ChristopherKerry !endswith is looking for a string value and you are passing in a table (which is what the _GetWatchlist returns)
Not sure how you would actually be able to do what you are attempting. Does your watchlist only have a single row?
Apr 01 2021 01:21 AM
Apr 01 2021 04:22 AM
Solution@ChristopherKerry Try surrounding the entire expression with not() as in
Heartbeat
| where not(ComputerIP has_any("192.168.1.1"))
Apr 01 2021 06:20 AM
That worked! Thanks Gary
For anyone trying to do the same thing - the resulting query looked like this:
Table
| where not(Dest has_any ((_GetWatchlist('watchlist') | project Dest)))
Apr 01 2021 04:22 AM
Solution@ChristopherKerry Try surrounding the entire expression with not() as in
Heartbeat
| where not(ComputerIP has_any("192.168.1.1"))