Aug 11 2021 06:11 AM
Hi guys.
I'm racking my brain with this and would like some help. :)
I want to know how to use wildcard(*) for join union parameter.
I need to join two tables with the same names in the fields, however, some fields may come with the wildcard(*), since for this field I want all to be validated.
My exceptions table:
My data table:
When running, it doesn't bring anything in the result.
For this union, I want the 3 union fields to be considered, ie based on the exceptions table, if computer_name is Pc_01 and logon_type is 4, no matter what event_id is, this log should be displayed, since the field of eventi_id in the exception list is wildcard(*).
I'm not finding a way to solve this problem since the join condition only allows "==" and "and".
Aug 12 2021 02:46 AM
It would have be nice to paste the example as text - so I didn't have to retype, but its was appreciated that you shared the example ;)
You probably need to union the results to see all matches, this will handle "*" - if I understand the question correctly.
let exp = datatable(Computer:string, Event_id:string, login_type:string)
[
'pc01','*',4,
'pc02','4648',4,
'*','60',60,
];
let win = datatable(Computer:string, Event_id:string, login_type:string)
[
'pc01','5059',4,
'pc02','4648',4,
'pc_03','60',1,
];
union exp, win
| summarize make_set(Event_id), make_set(login_type) by Computer
You then need to add your own logic to show the filtered view (i.e. replace the summarize line I used with lines of your own code)
example output
Computer | set_Event_id | set_login_type |
---|---|---|
pc01 | ["*","5059"] | ["4"] |
pc02 | ["4648"] | ["4"] |
* | ["60"] | ["60"] |
pc_03 | ["60"] | ["1"] |