Reputation: 319
How do I exclude List B from List A in Kusto?
I would like to get an overview of recent SpecialEvents, the ones that already have a comment named 'Skip' need to be excluded from list A. Since comments is an array I can't simply put everything in one query with a where clause (it will not process Comments since it only contains value: '[]'). How do I combine these two tables (Show everything from List A except the ones that are in List B)?
// List A: Show all Event created less than 1 hour ago SpecialEvent | where TimeGenerated < ago(1h) | distinct uniqueNumber | project uniqueNumber
// List B: Don't add the ones that contain 'skip' SpecialEvent | mvexpand parsejson(Comments) | extend commentMsg = Comments.message | where commentMsg contains 'SKIP' | distinct uniqueNumber | project uniqueNumber
Upvotes: 0
Views: 4274
Answers (1)
Reputation: 25905
If I understand your question correctly, you could use the !in() operator or an anti-join.
- https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/inoperator
- https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/joinoperator
For example:
let list_a =
SpecialEvent
| where TimeGenerated < ago(1h)
| distinct uniqueNumber
;
SpecialEvent
| where uniqueNumber !in(list_a)
| mv-expand parsejson(Comments) // you could also use 'mv-apply' and perform the filters on 'SKIP' under that scope
| extend commentMsg = Comments.message
| where commentMsg contains 'SKIP'
| distinct uniqueNumber
Upvotes: 3
Related Questions
- How can I filter out redundant results except one?
- Kusto query "Where not equals to any of the elements contained in list"
- Kusto: How to find missing values from a list
- How to filter distinct values for a kusto column
- Is it possible to have a Kusto where statement only if some other condition is met?
- How to exclude "outlier" data in kusto
- How to compare Kusto query against 2 table columns?
- KUSTO display two series of data
- Filter out ip addresses from Kusto query
- How to conditionally force fail a query in Kusto