Tyngd Punkt
Reputation: 37
KQL How to find rows in table based on list
The below code gives the error: A recognition error occurred
let vips = datatable (name: string)
['xxxx',
'yyyy',
'zzzz',
'gggg'];
DeviceLogonEvents
| where AccountName in~ (vips)
| summarize by DeviceName
| summarize vippc = make_list(DeviceName)
DeviceAlertEvents
| where DeviceName in (vippc)
Any suggestions how I can search for the items in the list vippc in the DeviceAlertEvents in the column DeviceName?
Upvotes: 1
Views: 380
Answers (1)
Yoni L.
Reputation: 25905
you could try this:
let vips = datatable(name: string)
[
'xxxx',
'yyyy',
'zzzz',
'gggg'
]
;
let vippc =
DeviceLogonEvents
| where AccountName in~ (vips)
| distinct DeviceName
;
DeviceAlertEvents
| where DeviceName in (vippc)
Upvotes: 1
Related Questions
- How do I query a list in a field?
- How do I filter a list in KDB?
- KDB get only the rows present only in one table
- how do I write a proper query in kdb this case?
- Select from table where column like list
- KDB - Filter List Column Based on Another Column
- How do you filter or search a nested list in q
- How to query KDB table where one column is a list?
- Selecting rows based on column contents which are in a list in kdb
- KDB: select rows based on value in one column being contained in the list of another column