Reputation: 597
Is there a way to check if substring in field for Log Analytics?
I have a column full of Computers in Log Analytics. An example is, "window432, linus909, windows322, linux432". I am filtering my disk utilization but I also want to filter by the specific word "window" or "lin". Is that possible? I am using Kusto to query so here's an example of my thought process:
Perf
| where Name == "Utilization Percentage"
and "win" in Computer
Something like this. Is that possible? Thank you.
Upvotes: 2
Views: 5953
Answers (2)
Reputation: 3484
Based on given information in the question and based on what I understand, the requirement is to filter based on Computer names starting with either "window" or "lin".
If that is the case then you can accomplish the requirement with startswith string operator.
Query would look something like:
Perf
| where CounterName == @"% Processor Time" and InstanceName == "_Total"
| where Computer startswith "window" or Computer startswith "lin"
or
InsightsMetrics
| where Name == "UtilizationPercentage"
| where Computer startswith "window" or Computer startswith "lin"
Similarly, based on the requirement, you may leverage other string operators like "in", "has", "endswith", etc. string operators or any other operators or functions as appropriate. For more information w.r.t it, please refer Kusto Query Language (KQL) documents.
Upvotes: 3
Reputation: 25895
If i understand the description correctly, this could work.
It:
- splits the original comma separated string using
split() - expands those using
mv-apply - filters out values that don't contain
win - aggregates the remaining values into a new (filtered) comma separated string
datatable(Computers:string, id:int)
[
"window432, linus909, windows322, linux432", 1,
"window451, linux459, windows444, linux234", 2,
"android222, ios222, linux333" , 3
]
| mv-apply Computer = split(Computers, ", ") on (
where Computer contains "win"
| summarize Computers = strcat_array(make_list(Computer), ", ")
)
| where isnotempty(Computers)
input:
| Computers | id |
|-------------------------------------------|----|
| window432, linus909, windows322, linux432 | 1 |
| window451, linux459, windows444, linux234 | 2 |
| android222, ios222, linux333 | 3 |
output:
| id | Computers |
|----|-----------------------|
| 1 | window432, windows322 |
| 2 | window451, windows444 |
Upvotes: 0
Related Questions
- How to check for a substring match along with conditional expression?
- How do you filter for a string (not) containing a substring in an Azure Data Factory data flow expression?
- Azure Kusto Query to trim multiple parts of a string
- Match partial string from list with field
- How to query on multiple similar string values using "contains" in Azure Log Analytics?
- Substring search on one column from the column of another table without IN operator
- How to match part of a specific column's values from a dynamic array in Azure Log Analytics query?
- SSRS - Check if a substring is contained in a string by code
- Substring in appinsight
- Pattern Match on String Column