This is the multi-page printable view of this section. Click here to print.
Scalar operators
- 1: Bitwise (binary) operators
- 2: Datetime / timespan arithmetic
- 3: Logical (binary) operators
- 4: Numerical operators
- 5: Between operators
- 6: in operators
- 6.1: The case-insensitive !in~ string operator
- 6.2: The case-insensitive in~ string operator
- 6.3: The case-sensitive !in string operator
- 6.4: The case-sensitive in string operator
- 7: String operators
- 7.1: matches regex operator
- 7.2: String operators
- 7.3: The case-insensitive !~ (not equals) string operator
- 7.4: The case-insensitive !contains string operator
- 7.5: The case-insensitive !endswith string operator
- 7.6: The case-insensitive !has string operators
- 7.7: The case-insensitive !hasprefix string operator
- 7.8: The case-insensitive !hassuffix string operator
- 7.9: The case-insensitive !in~ string operator
- 7.10: The case-insensitive !startswith string operators
- 7.11: The case-insensitive =~ (equals) string operator
- 7.12: The case-insensitive contains string operator
- 7.13: The case-insensitive endswith string operator
- 7.14: The case-insensitive has string operator
- 7.15: The case-insensitive has_all string operator
- 7.16: The case-insensitive has_any string operator
- 7.17: The case-insensitive hasprefix string operator
- 7.18: The case-insensitive hassuffix string operator
- 7.19: The case-insensitive in~ string operator
- 7.20: The case-insensitive startswith string operator
- 7.21: The case-sensitive != (not equals) string operator
- 7.22: The case-sensitive !contains_cs string operator
- 7.23: The case-sensitive !endswith_cs string operator
- 7.24: The case-sensitive !has_cs string operator
- 7.25: The case-sensitive !hasprefix_cs string operator
- 7.26: The case-sensitive !hassuffix_cs string operator
- 7.27: The case-sensitive !in string operator
- 7.28: The case-sensitive !startswith_cs string operator
- 7.29: The case-sensitive == (equals) string operator
- 7.30: The case-sensitive contains_cs string operator
- 7.31: The case-sensitive endswith_cs string operator
- 7.32: The case-sensitive has_cs string operator
- 7.33: The case-sensitive hasprefix_cs string operator
- 7.34: The case-sensitive hassuffix_cs string operator
- 7.35: The case-sensitive in string operator
- 7.36: The case-sensitive startswith string operator
1 - Bitwise (binary) operators
Kusto support several bitwise (binary) operators between integers:
2 - Datetime / timespan arithmetic
Kusto supports performing arithmetic operations on values of types datetime
and timespan.
Supported operations
One can subtract (but not add) two
datetimevalues to get atimespanvalue expressing their difference. For example,datetime(1997-06-25) - datetime(1910-06-11)is how old was Jacques-Yves Cousteau when he died.One can add or subtract two
timespanvalues to get atimespanvalue which is their sum or difference. For example,1d + 2dis three days.One can add or subtract a
timespanvalue from adatetimevalue. For example,datetime(1910-06-11) + 1dis the date Cousteau turned one day old.One can divide two
timespanvalues to get their quotient. For example,1d / 5hgives4.8. This gives one the ability to express anytimespanvalue as a multiple of anothertimespanvalue. For example, to express an hour in seconds, simply divide1hby1s:1h / 1s(with the obvious result,3600).Conversely, one can multiple a numeric value (such as
doubleandlong) by atimespanvalue to get atimespanvalue. For example, one can express an hour and a half as1.5 * 1h.
Examples
Unix time, which is also known as POSIX time or UNIX Epoch time, is a system for describing a point in time as the number of seconds that have elapsed since 00:00:00 Thursday, 1 January 1970, Coordinated Universal Time (UTC), minus leap seconds.
If your data includes representation of Unix time as an integer, or you require converting to it, the following functions are available.
From Unix time
let fromUnixTime = (t: long) {
datetime(1970-01-01) + t * 1sec
};
print result = fromUnixTime(1546897531)
Output
| result |
|---|
| 2019-01-07 21:45:31.0000000 |
To Unix time
let toUnixTime = (dt: datetime) {
(dt - datetime(1970-01-01)) / 1s
};
print result = toUnixTime(datetime(2019-01-07 21:45:31.0000000))
Output
| result |
|---|
| 1546897531 |
Related content
For unix-epoch time conversions, see the following functions:
3 - Logical (binary) operators
The following logical operators can be used to perform comparisons and evaluations:
| Operator name | Syntax | Meaning |
|---|---|---|
| Equality | == | Returns true if both operands are non-null and equal to each other. Otherwise, returns false. |
| Inequality | != | Returns true if any of the operands are null or if the operands aren’t equal to each other. Otherwise, returns false. |
| Logical and | and | Returns true only if both operands are true. The logical and has higher precedence than the logical or. |
| Logical or | or | Returns true if either of the operands is true, regardless of the other operand. |
How logical operators work with null values
Null values adhere to the following rules:
| Operation | Result |
|---|---|
bool(null) == bool(null) | false |
bool(null) != bool(null) | false |
bool(null) and true | false |
bool(null) or true | true |
Examples
Equality
The following query returns a count of all storm events where the event type is “Tornado”.
StormEvents
| where EventType == "Tornado"
| count
Output
| Count |
|---|
| 1238 |
Inequality
The following query returns a count of all storm events where the event type isn’t “Tornado”.
StormEvents
| where EventType != "Tornado"
| count
Output
| Count |
|---|
| 57828 |
Logical and
The following query returns a count of all storm events where the event type is “Tornado” and the state is “KANSAS”.
StormEvents
| where EventType == "Tornado" and State == "KANSAS"
| count
Output
| Count |
|---|
| 161 |
Logical or
The following query returns a count of all storm events where the event type is “Tornado” or “Thunderstorm Wind”.
StormEvents
| where EventType == "Tornado" or EventType == "Thunderstorm Wind"
| count
Output
| Count |
|---|
| 14253 |
Null values
The following query shows that null values are treated as false.
print print=iff(bool(null) and true, true, false)
Output
| false |
Related content
4 - Numerical operators
The types int, long, and real represent numerical types.
The following operators can be used between pairs of these types:
| Operator | Description | Example |
|---|---|---|
+ | Add | 3.14 + 3.14, ago(5m) + 5m |
- | Subtract | 0.23 - 0.22, |
* | Multiply | 1s * 5, 2 * 2 |
/ | Divide | 10m / 1s, 4 / 2 |
% | Modulo | 4 % 2 |
< | Less | 1 < 10, 10sec < 1h, now() < datetime(2100-01-01) |
> | Greater | 0.23 > 0.22, 10min > 1sec, now() > ago(1d) |
== | Equals | 1 == 1 |
!= | Not equals | 1 != 0 |
<= | Less or Equal | 4 <= 5 |
>= | Greater or Equal | 5 >= 4 |
in | Equals to one of the elements | see here |
!in | Not equals to any of the elements | see here |
Type rules for arithmetic operations
The data type of the result of an arithmetic operation is determined by the data types of the operands. If one of the operands is of type real, the result will be of type real. If both operands are of integer types (int or long), the result will be of type long.
Due to these rules, the result of division operations that only involve integers will be truncated to an integer, which might not always be what you want. To avoid truncation, convert at least one of the integer values to real using the todouble() before performing the operation.
The following examples illustrate how the operand types affect the result type in division operations.
| Operation | Result | Description |
|---|---|---|
1.0 / 2 | 0.5 | One of the operands is of type real, so the result is real. |
1 / 2.0 | 0.5 | One of the operands is of type real, so the result is real. |
1 / 2 | 0 | Both of the operands are of type int, so the result is int. Integer division occurs and the decimal is truncated, resulting in 0 instead of 0.5, as one might expect. |
real(1) / 2 | 0.5 | To avoid truncation due to integer division, one of the int operands was first converted to real using the real() function. |
Comment about the modulo operator
The modulo of two numbers always returns in Kusto a “small non-negative number”. Thus, the modulo of two numbers, N % D, is such that: 0 ≤ (N % D) < abs(D).
For example, the following query:
print plusPlus = 14 % 12, minusPlus = -14 % 12, plusMinus = 14 % -12, minusMinus = -14 % -12
Produces this result:
| plusPlus | minusPlus | plusMinus | minusMinus |
|---|---|---|---|
| 2 | 10 | 2 | 10 |
5 - Between operators
5.1 - The !between operator
Matches the input that is outside of the inclusive range.
!between can operate on any numeric, datetime, or timespan expression.
Syntax
T | where expr !between (leftRange..rightRange)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input whose records are to be matched. |
| expr | scalar | ✔️ | The expression to filter. |
| leftRange | int, long, real, or datetime | ✔️ | The expression of the left range. The range is inclusive. |
| rightRange | int, long, real, datetime, or timespan | ✔️ | The expression of the right range. The range is inclusive. This value can only be of type timespan if expr and leftRange are both of type datetime. See example. |
Returns
Rows in T for which the predicate of (expr < leftRange or expr > rightRange) evaluates to true.
Examples
Filter numeric values
range x from 1 to 10 step 1
| where x !between (5 .. 9)
Output
| x |
|---|
| 1 |
| 2 |
| 3 |
| 4 |
| 10 |
Filter datetime
StormEvents
| where StartTime !between (datetime(2007-07-27) .. datetime(2007-07-30))
| count
Output
| Count |
|---|
| 58590 |
Filter datetime using a timespan range
StormEvents
| where StartTime !between (datetime(2007-07-27) .. 3d)
| count
Output
| Count |
|---|
| 58590 |
5.2 - The between operator
Filters a record set for data matching the values in an inclusive range.
between can operate on any numeric, datetime, or timespan expression.
Syntax
T | where expr between (leftRange..rightRange)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input whose records are to be matched. For example, the table name. |
| expr | scalar | ✔️ | The expression used to filter. |
| leftRange | int, long, real, or datetime | ✔️ | The expression of the left range. The range is inclusive. |
| rightRange | int, long, real, datetime, or timespan | ✔️ | The expression of the right range. The range is inclusive. This value can only be of type timespan if expr and leftRange are both of type datetime. See example. |
Returns
Rows in T for which the predicate of (expr >= leftRange and expr <= rightRange) evaluates to true.
Examples
Filter numeric values
range x from 1 to 100 step 1
| where x between (50 .. 55)
Output
| x |
|---|
| 50 |
| 51 |
| 52 |
| 53 |
| 54 |
| 55 |
Filter by date
StormEvents
| where StartTime between (datetime(2007-07-27) .. datetime(2007-07-30))
| count
Output
| Count |
|---|
| 476 |
Filter by date and time
StormEvents
| where StartTime between (datetime(2007-12-01T01:30:00) .. datetime(2007-12-01T08:00:00))
| count
Output
| Count |
|---|
| 301 |
Filter using a timespan range
StormEvents
| where StartTime between (datetime(2007-07-27) .. 3d)
| count
Output
| Count |
|---|
| 476 |
6 - in operators
6.1 - The case-insensitive !in~ string operator
Filters a record set for data without a case-insensitive string.
Performance tips
When possible, use the case-sensitive !in.
Syntax
T | where col !in~ (expression, … )
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input to filter. |
| col | string | ✔️ | The column by which to filter. |
| expression | scalar or tabular | ✔️ | An expression that specifies the values for which to search. Each expression can be a scalar value or a tabular expression that produces a set of values. If a tabular expression has multiple columns, the first column is used. The search will consider up to 1,000,000 distinct values. |
Returns
Rows in T for which the predicate is true.
Example
List of scalars
The following query shows how to use !in~ with a comma-separated list of scalar values.
StormEvents
| where State !in~ ("Florida", "Georgia", "New York")
| count
Output
| Count |
|---|
| 54,291 |
Dynamic array
The following query shows how to use !in~ with a dynamic array.
StormEvents
| where State !in~ (dynamic(["Florida", "Georgia", "New York"]))
| count
Output
| Count |
|---|
| 54291 |
The same query can also be written with a let statement.
let states = dynamic(["Florida", "Georgia", "New York"]);
StormEvents
| where State !in~ (states)
| summarize count() by State
Output
| Count |
|---|
| 54291 |
Tabular expression
The following query shows how to use !in~ with an inline tabular expression. Notice that an inline tabular expression must be enclosed with double parentheses.
StormEvents
| where State !in~ (PopulationData | where Population > 5000000 | project State)
| summarize count() by State
Output
| State | count_ |
|---|---|
| KANSAS | 3166 |
| IOWA | 2337 |
| NEBRASKA | 1766 |
| OKLAHOMA | 1716 |
| SOUTH DAKOTA | 1567 |
| … | … |
The same query can also be written with a let statement. Notice that the double parentheses as provided in the last example aren’t necessary in this case.
let large_states = PopulationData | where Population > 5000000 | project State;
StormEvents
| where State !in~ (large_states)
| summarize count() by State
Output
| State | count_ |
|---|---|
| KANSAS | 3166 |
| IOWA | 2337 |
| NEBRASKA | 1766 |
| OKLAHOMA | 1716 |
| SOUTH DAKOTA | 1567 |
| … | … |
6.2 - The case-insensitive in~ string operator
Filters a record set for data with a case-insensitive string.
Performance tips
When possible, use the case-sensitive in.
Syntax
T | where col in~ (expression, … )
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input to filter. |
| col | string | ✔️ | The column by which to filter. |
| expression | scalar or tabular | ✔️ | An expression that specifies the values for which to search. Each expression can be a scalar value or a tabular expression that produces a set of values. If a tabular expression has multiple columns, the first column is used. The search will consider up to 1,000,000 distinct values. |
Returns
Rows in T for which the predicate is true.
Examples
List of scalars
The following query shows how to use in~ with a comma-separated list of scalar values.
StormEvents
| where State in~ ("FLORIDA", "georgia", "NEW YORK")
| count
Output
| Count |
|---|
| 4775 |
Dynamic array
The following query shows how to use in~ with a dynamic array.
StormEvents
| where State in~ (dynamic(["FLORIDA", "georgia", "NEW YORK"]))
| count
Output
| Count |
|---|
| 4775 |
The same query can also be written with a let statement.
let states = dynamic(["FLORIDA", "georgia", "NEW YORK"]);
StormEvents
| where State has_any (states)
| summarize count() by State
Output
| Count |
|---|
| 4775 |
Tabular expression
The following query shows how to use in~ with an inline tabular expression. Notice that an inline tabular expression must be enclosed with double parentheses.
StormEvents
| where State in~ (PopulationData | where Population > 5000000 | project State)
| summarize count() by State
Output
| State | count_ |
|---|---|
| TEXAS | 4701 |
| ILLINOIS | 2022 |
| MISSOURI | 2016 |
| GEORGIA | 1983 |
| MINNESOTA | 1881 |
| … | … |
The same query can also be written with a let statement. Notice that the double parentheses as provided in the last example aren’t necessary in this case.
let large_states = PopulationData | where Population > 5000000 | project State;
StormEvents
| where State in~ (large_states)
| summarize count() by State
Output
| State | count_ |
|---|---|
| TEXAS | 4701 |
| ILLINOIS | 2022 |
| MISSOURI | 2016 |
| GEORGIA | 1983 |
| MINNESOTA | 1881 |
| … | … |
6.3 - The case-sensitive !in string operator
Filters a record set for data without a case-sensitive string.
Performance tips
Syntax
T | where col !in (expression, … )
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input to filter. |
| col | string | ✔️ | The column by which to filter. |
| expression | scalar or tabular | ✔️ | An expression that specifies the values for which to search. Each expression can be a scalar value or a tabular expression that produces a set of values. If a tabular expression has multiple columns, the first column is used. The search will consider up to 1,000,000 distinct values. |
Returns
Rows in T for which the predicate is true.
Example
List of scalars
The following query shows how to use !in with a comma-separated list of scalar values.
StormEvents
| where State !in ("FLORIDA", "GEORGIA", "NEW YORK")
| count
Output
| Count |
|---|
| 54291 |
Dynamic array
The following query shows how to use !in with a dynamic array.
StormEvents
| where State !in (dynamic(["FLORIDA", "GEORGIA", "NEW YORK"]))
| count
Output
| Count |
|---|
| 54291 |
The same query can also be written with a let statement.
let states = dynamic(["FLORIDA", "GEORGIA", "NEW YORK"]);
StormEvents
| where State !in (states)
| summarize count() by State
Output
| Count |
|---|
| 54291 |
Tabular expression
The following query shows how to use !in with an inline tabular expression. Notice that an inline tabular expression must be enclosed with double parentheses.
StormEvents
| where State !in (PopulationData | where Population > 5000000 | project State)
| summarize count() by State
Output
| State | Count |
|---|---|
| KANSAS | 3166 |
| IOWA | 2337 |
| NEBRASKA | 1766 |
| OKLAHOMA | 1716 |
| SOUTH DAKOTA | 1567 |
| … | … |
The same query can also be written with a let statement. Notice that the double parentheses as provided in the last example aren’t necessary in this case.
let large_states = PopulationData | where Population > 5000000 | project State;
StormEvents
| where State !in (large_states)
| summarize count() by State
Output
| State | Count |
|---|---|
| KANSAS | 3166 |
| IOWA | 2337 |
| NEBRASKA | 1766 |
| OKLAHOMA | 1716 |
| SOUTH DAKOTA | 1567 |
| … | … |
6.4 - The case-sensitive in string operator
Filters a record set for data with a case-sensitive string.
Performance tips
Syntax
T | where col in (expression, … )
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input to filter. |
| col | string | ✔️ | The column by which to filter. |
| expression | scalar or tabular | ✔️ | An expression that specifies the values for which to search. Each expression can be a scalar value or a tabular expression that produces a set of values. If a tabular expression has multiple columns, the first column is used. The search considers up to 1,000,000 distinct values. |
Returns
Rows in T for which the predicate is true.
Examples
List of scalars
The following query shows how to use in with a list of scalar values.
StormEvents
| where State in ("FLORIDA", "GEORGIA", "NEW YORK")
| count
Output
| Count |
|---|
| 4775 |
Dynamic array
The following query shows how to use in with a dynamic array.
let states = dynamic(['FLORIDA', 'ATLANTIC SOUTH', 'GEORGIA']);
StormEvents
| where State in (states)
| count
Output
| Count |
|---|
| 3218 |
Tabular expression
The following query shows how to use in with a tabular expression.
let Top_5_States =
StormEvents
| summarize count() by State
| top 5 by count_;
StormEvents
| where State in (Top_5_States)
| count
The same query can be written with an inline tabular expression statement.
StormEvents
| where State in (
StormEvents
| summarize count() by State
| top 5 by count_
)
| count
Output
| Count |
|---|
| 14242 |
Top with other example
The following example identifies the top five states with lightning events and uses the iff() function and in operator to classify lightning events by the top five states, labeled by state name, and all others labeled as “Other.”
let Lightning_By_State = materialize(StormEvents
| summarize lightning_events = countif(EventType == 'Lightning') by State);
let Top_5_States = Lightning_By_State | top 5 by lightning_events | project State;
Lightning_By_State
| extend State = iff(State in (Top_5_States), State, "Other")
| summarize sum(lightning_events) by State
Output
| State | sum_lightning_events |
|---|---|
| ALABAMA | 29 |
| WISCONSIN | 31 |
| TEXAS | 55 |
| FLORIDA | 85 |
| GEORGIA | 106 |
| Other | 415 |
Use a static list returned by a function
The following example counts events from the StormEvents table based on a predefined list of interesting states. The interesting states are defined by the InterestingStates() function.
StormEvents
| where State in (InterestingStates())
| count
Output
| Count |
|---|
| 4775 |
The following query displays which states are considered interesting by the InterestingStates() function.
.show function InterestingStates
Output
| Name | Parameters | Body | Folder | DocString |
|---|---|---|---|---|
| InterestingStates | () | { dynamic([“WASHINGTON”, “FLORIDA”, “GEORGIA”, “NEW YORK”]) } |
Related content
7 - String operators
7.1 - matches regex operator
Filters a record set based on a case-sensitive regular expression value.
For more information about other operators and to determine which operator is most appropriate for your query, see datatype string operators.
Syntax
T | where col matches regex (expression)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input whose records are to be filtered. |
| col | string | ✔️ | The column by which to filter. |
| expression | scalar | ✔️ | The regular expression /Query/Data%20types/real.md used to filter. The maximum number of regex groups is 16. For more information about the regex syntax supported by Kusto, see regular expression. |
Returns
Rows in T for which the predicate is true.
Example
StormEvents
| summarize event_count=count() by State
| where State matches regex "K.*S"
| where event_count > 10
| project State, event_count
Output
| State | event_count |
|---|---|
| KANSAS | 3166 |
| ARKANSAS | 1028 |
| LAKE SUPERIOR | 34 |
| LAKE ST CLAIR | 32 |
7.2 - String operators
Kusto Query Language (KQL) offers various query operators for searching string data types. The following article describes how string terms are indexed, lists the string query operators, and gives tips for optimizing performance.
Understanding string terms
Kusto indexes all columns, including columns of type string. Multiple indexes are built for such columns, depending on the actual data. These indexes aren’t directly exposed, but are used in queries with the string operators that have has as part of their name, such as has, !has, hasprefix, !hasprefix. The semantics of these operators are dictated by the way the column is encoded. Instead of doing a “plain” substring match, these operators match terms.
What is a term?
By default, each string value is broken into maximal sequences of alphanumeric characters, and each of those sequences is made into a term.
For example, in the following string, the terms are Kusto, KustoExplorerQueryRun, and the following substrings: ad67d136, c1db, 4f9f, 88ef, d94f3b6b0b5a.
Kusto: ad67d136-c1db-4f9f-88ef-d94f3b6b0b5a;KustoExplorerQueryRun
Kusto builds a term index consisting of all terms that are three characters or more, and this index is used by string operators such as has, !has, and so on. If the query looks for a term that is smaller than three characters, or uses a contains operator, then the query will revert to scanning the values in the column. Scanning is much slower than looking up the term in the term index.
Operators on strings
The following abbreviations are used in this article:
- RHS = right hand side of the expression
- LHS = left hand side of the expression
Operators with an _cs suffix are case sensitive.
| Operator | Description | Case-Sensitive | Example (yields true) |
|---|---|---|---|
== | Equals | Yes | "aBc" == "aBc" |
!= | Not equals | Yes | "abc" != "ABC" |
=~ | Equals | No | "abc" =~ "ABC" |
!~ | Not equals | No | "aBc" !~ "xyz" |
contains | RHS occurs as a subsequence of LHS | No | "FabriKam" contains "BRik" |
!contains | RHS doesn’t occur in LHS | No | "Fabrikam" !contains "xyz" |
contains_cs | RHS occurs as a subsequence of LHS | Yes | "FabriKam" contains_cs "Kam" |
!contains_cs | RHS doesn’t occur in LHS | Yes | "Fabrikam" !contains_cs "Kam" |
endswith | RHS is a closing subsequence of LHS | No | "Fabrikam" endswith "Kam" |
!endswith | RHS isn’t a closing subsequence of LHS | No | "Fabrikam" !endswith "brik" |
endswith_cs | RHS is a closing subsequence of LHS | Yes | "Fabrikam" endswith_cs "kam" |
!endswith_cs | RHS isn’t a closing subsequence of LHS | Yes | "Fabrikam" !endswith_cs "brik" |
has | Right-hand-side (RHS) is a whole term in left-hand-side (LHS) | No | "North America" has "america" |
!has | RHS isn’t a full term in LHS | No | "North America" !has "amer" |
has_all | Same as has but works on all of the elements | No | "North and South America" has_all("south", "north") |
has_any | Same as has but works on any of the elements | No | "North America" has_any("south", "north") |
has_cs | RHS is a whole term in LHS | Yes | "North America" has_cs "America" |
!has_cs | RHS isn’t a full term in LHS | Yes | "North America" !has_cs "amer" |
hasprefix | RHS is a term prefix in LHS | No | "North America" hasprefix "ame" |
!hasprefix | RHS isn’t a term prefix in LHS | No | "North America" !hasprefix "mer" |
hasprefix_cs | RHS is a term prefix in LHS | Yes | "North America" hasprefix_cs "Ame" |
!hasprefix_cs | RHS isn’t a term prefix in LHS | Yes | "North America" !hasprefix_cs "CA" |
hassuffix | RHS is a term suffix in LHS | No | "North America" hassuffix "ica" |
!hassuffix | RHS isn’t a term suffix in LHS | No | "North America" !hassuffix "americ" |
hassuffix_cs | RHS is a term suffix in LHS | Yes | "North America" hassuffix_cs "ica" |
!hassuffix_cs | RHS isn’t a term suffix in LHS | Yes | "North America" !hassuffix_cs "icA" |
in | Equals to any of the elements | Yes | "abc" in ("123", "345", "abc") |
!in | Not equals to any of the elements | Yes | "bca" !in ("123", "345", "abc") |
in~ | Equals to any of the elements | No | "Abc" in~ ("123", "345", "abc") |
!in~ | Not equals to any of the elements | No | "bCa" !in~ ("123", "345", "ABC") |
matches regex | LHS contains a match for RHS | Yes | "Fabrikam" matches regex "b.*k" |
startswith | RHS is an initial subsequence of LHS | No | "Fabrikam" startswith "fab" |
!startswith | RHS isn’t an initial subsequence of LHS | No | "Fabrikam" !startswith "kam" |
startswith_cs | RHS is an initial subsequence of LHS | Yes | "Fabrikam" startswith_cs "Fab" |
!startswith_cs | RHS isn’t an initial subsequence of LHS | Yes | "Fabrikam" !startswith_cs "fab" |
Performance tips
For better performance, when there are two operators that do the same task, use the case-sensitive one. For example:
- Use
==, not=~ - Use
in, notin~ - Use
hassuffix_cs, nothassuffix
For faster results, if you’re testing for the presence of a symbol or alphanumeric word that is bound by non-alphanumeric characters, or the start or end of a field, use has or in.
has works faster than contains, startswith, or endswith.
To search for IPv4 addresses or their prefixes, use one of special operators on IPv4 addresses, which are optimized for this purpose.
For more information, see Query best practices.
For example, the first of these queries will run faster:
StormEvents | where State has "North" | count;
StormEvents | where State contains "nor" | count
Operators on IPv4 addresses
The following group of operators provide index accelerated search on IPv4 addresses or their prefixes.
| Operator | Description | Example (yields true) |
|---|---|---|
| has_ipv4 | LHS contains IPv4 address represented by RHS | has_ipv4("Source address is 10.1.2.3:1234", "10.1.2.3") |
| has_ipv4_prefix | LHS contains an IPv4 address that matches a prefix represented by RHS | has_ipv4_prefix("Source address is 10.1.2.3:1234", "10.1.2.") |
| has_any_ipv4 | LHS contains one of IPv4 addresses provided by RHS | has_any_ipv4("Source address is 10.1.2.3:1234", dynamic(["10.1.2.3", "127.0.0.1"])) |
| has_any_ipv4_prefix | LHS contains an IPv4 address that matches one of prefixes provided by RHS | has_any_ipv4_prefix("Source address is 10.1.2.3:1234", dynamic(["10.1.2.", "127.0.0."])) |
7.3 - The case-insensitive !~ (not equals) string operator
Filters a record set for data that doesn’t match a case-insensitive string.
The following table provides a comparison of the == (equals) operators:
| Operator | Description | Case-Sensitive | Example (yields true) |
|---|---|---|---|
== | Equals | Yes | "aBc" == "aBc" |
!= | Not equals | Yes | "abc" != "ABC" |
=~ | Equals | No | "abc" =~ "ABC" |
!~ | Not equals | No | "aBc" !~ "xyz" |
For more information about other operators and to determine which operator is most appropriate for your query, see datatype string operators.
Performance tips
When possible, use the case-sensitive !=.
Syntax
T | where column !~ (expression)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input whose records are to be filtered. |
| column | string | ✔️ | The column by which to filter. |
| expression | scalar | ✔️ | The scalar or literal expression for which to search. |
Returns
Rows in T for which the predicate is true.
Example
StormEvents
| summarize event_count=count() by State
| where (State !~ "texas") and (event_count > 3000)
| project State, event_count
Output
| State | event_count |
|---|---|
| KANSAS | 3,166 |
7.4 - The case-insensitive !contains string operator
Filters a record set for data that doesn’t include a case-sensitive string. !contains searches for characters rather than terms of three or more characters. The query scans the values in the column, which is slower than looking up a term in a term index.
Performance tips
When possible, use the case-sensitive !contains_cs.
Use !has if you’re looking for a term.
Syntax
Case insensitive syntax
T | where Column !contains (Expression)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input whose records are to be filtered. |
| Column | string | ✔️ | The column by which to filter. |
| Expression | scalar | ✔️ | The scalar or literal expression for which to search. |
Returns
Rows in T for which the predicate is true.
Example
StormEvents
| summarize event_count=count() by State
| where State !contains "kan"
| where event_count > 3000
| project State, event_count
Output
| State | event_count |
|---|---|
| TEXAS | 4701 |
7.5 - The case-insensitive !endswith string operator
Filters a record set for data that excludes a case-insensitive ending string.
Performance tips
When possible, use the case-sensitive !endswith_cs.
Syntax
T | where col !endswith (expression)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input whose records are to be filtered. |
| col | string | ✔️ | The column to filter. |
| expression | string | ✔️ | The expression used to filter. |
Returns
Rows in T for which the predicate is true.
Example
StormEvents
| summarize Events=count() by State
| where State !endswith "is"
| where Events > 2000
| project State, Events
Output
| State | Events |
|---|---|
| TEXAS | 4701 |
| KANSAS | 3166 |
| IOWA | 2337 |
| MISSOURI | 2016 |
7.6 - The case-insensitive !has string operators
Filters a record set for data that doesn’t have a matching case-insensitive string. !has searches for indexed terms, where an indexed term is three or more characters. If your term is fewer than three characters, the query scans the values in the column, which is slower than looking up the term in the term index.
Performance tips
When possible, use the case-sensitive !has_cs.
Syntax
T | where column !has (expression)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input whose records are to be filtered. |
| column | string | ✔️ | The column by which to filter. |
| expression | scalar | ✔️ | The scalar or literal expression for which to search. |
Returns
Rows in T for which the predicate is true.
Example
StormEvents
| summarize event_count=count() by State
| where State !has "NEW"
| where event_count > 3000
| project State, event_count
Output
| State | event_count |
|---|---|
| TEXAS | 4,701 |
| KANSAS | 3,166 |
7.7 - The case-insensitive !hasprefix string operator
Filters a record set for data that doesn’t include a case-insensitive starting string.
For best performance, use strings of three characters or more. !hasprefix searches for indexed terms, where an indexed term is three or more characters. If your term is fewer than three characters, the query scans the values in the column, which is slower than looking up the term in the term index.
Performance tips
When possible, use the case-sensitive !hasprefix_cs.
Syntax
T | where Column !hasprefix (Expression)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input whose records are to be filtered. |
| Column | string | ✔️ | The column used to filter. |
| Expression | string | ✔️ | The expression for which to search. |
Returns
Rows in T for which the predicate is true.
Example
StormEvents
| summarize event_count=count() by State
| where State !hasprefix "N"
| where event_count > 2000
| project State, event_count
| State | event_count |
|---|---|
| TEXAS | 4701 |
| KANSAS | 3166 |
| IOWA | 2337 |
| ILLINOIS | 2022 |
| MISSOURI | 2016 |
7.8 - The case-insensitive !hassuffix string operator
Filters a record set for data that doesn’t have a case-insensitive ending string. !hassuffix returns true if there’s no term inside string column ending with the specified string expression.
Performance tips
When possible, use !hassuffix_cs - a case-sensitive version of the operator.
Syntax
T | where column !hassuffix (expression)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input whose records are to be filtered. |
| column | string | ✔️ | The column by which to filter. |
| expression | scalar | ✔️ | The scalar or literal expression for which to search. |
Returns
Rows in T for which the predicate is true.
Example
StormEvents
| summarize event_count=count() by State
| where State !hassuffix "A"
| where event_count > 2000
| project State, event_count
Output
| State | event_count |
|---|---|
| TEXAS | 4701 |
| KANSAS | 3166 |
| ILLINOIS | 2022 |
| MISSOURI | 2016 |
7.9 - The case-insensitive !in~ string operator
Filters a record set for data without a case-insensitive string.
Performance tips
When possible, use the case-sensitive !in.
Syntax
T | where col !in~ (expression, … )
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input to filter. |
| col | string | ✔️ | The column by which to filter. |
| expression | scalar or tabular | ✔️ | An expression that specifies the values for which to search. Each expression can be a scalar value or a tabular expression that produces a set of values. If a tabular expression has multiple columns, the first column is used. The search will consider up to 1,000,000 distinct values. |
Returns
Rows in T for which the predicate is true.
Example
List of scalars
The following query shows how to use !in~ with a comma-separated list of scalar values.
StormEvents
| where State !in~ ("Florida", "Georgia", "New York")
| count
Output
| Count |
|---|
| 54,291 |
Dynamic array
The following query shows how to use !in~ with a dynamic array.
StormEvents
| where State !in~ (dynamic(["Florida", "Georgia", "New York"]))
| count
Output
| Count |
|---|
| 54291 |
The same query can also be written with a let statement.
let states = dynamic(["Florida", "Georgia", "New York"]);
StormEvents
| where State !in~ (states)
| summarize count() by State
Output
| Count |
|---|
| 54291 |
Tabular expression
The following query shows how to use !in~ with an inline tabular expression. Notice that an inline tabular expression must be enclosed with double parentheses.
StormEvents
| where State !in~ (PopulationData | where Population > 5000000 | project State)
| summarize count() by State
Output
| State | count_ |
|---|---|
| KANSAS | 3166 |
| IOWA | 2337 |
| NEBRASKA | 1766 |
| OKLAHOMA | 1716 |
| SOUTH DAKOTA | 1567 |
| … | … |
The same query can also be written with a let statement. Notice that the double parentheses as provided in the last example aren’t necessary in this case.
let large_states = PopulationData | where Population > 5000000 | project State;
StormEvents
| where State !in~ (large_states)
| summarize count() by State
Output
| State | count_ |
|---|---|
| KANSAS | 3166 |
| IOWA | 2337 |
| NEBRASKA | 1766 |
| OKLAHOMA | 1716 |
| SOUTH DAKOTA | 1567 |
| … | … |
7.10 - The case-insensitive !startswith string operators
Filters a record set for data that doesn’t start with a case-insensitive search string.
Performance tips
When possible, use the case-sensitive !startswith_cs.
Syntax
T | where column !startswith (expression)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input whose records are to be filtered. |
| column | string | ✔️ | The column by which to filter. |
| expression | scalar | ✔️ | The scalar or literal expression for which to search. |
Returns
Rows in T for which the predicate is true.
Example
StormEvents
| summarize event_count=count() by State
| where State !startswith "i"
| where event_count > 2000
| project State, event_count
Output
| State | event_count |
|---|---|
| TEXAS | 4701 |
| KANSAS | 3166 |
| MISSOURI | 2016 |
7.11 - The case-insensitive =~ (equals) string operator
Filters a record set for data with a case-insensitive string.
The following table provides a comparison of the == (equals) operators:
| Operator | Description | Case-Sensitive | Example (yields true) |
|---|---|---|---|
== | Equals | Yes | "aBc" == "aBc" |
!= | Not equals | Yes | "abc" != "ABC" |
=~ | Equals | No | "abc" =~ "ABC" |
!~ | Not equals | No | "aBc" !~ "xyz" |
For more information about other operators and to determine which operator is most appropriate for your query, see datatype string operators.
Performance tips
When possible, use == - a case-sensitive version of the operator.
Syntax
T | where col =~ (expression)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input whose records are to be filtered. |
| col | string | ✔️ | The column to filter. |
| expression | string | ✔️ | The expression used to filter. |
Returns
Rows in T for which the predicate is true.
Example
The State values in the StormEvents table are capitalized. The following query matches
columns with the value “KANSAS”.
StormEvents
| where State =~ "kansas"
| project EventId, State
The following table only shows the first 10 results. To see the full output, run the query.
| EventId | State |
|---|---|
| 70787 | KANSAS |
| 43450 | KANSAS |
| 43451 | KANSAS |
| 38844 | KANSAS |
| 18463 | KANSAS |
| 18464 | KANSAS |
| 18495 | KANSAS |
| 43466 | KANSAS |
| 43467 | KANSAS |
| 43470 | KANSAS |
7.12 - The case-insensitive contains string operator
Filters a record set for data containing a case-insensitive string. contains searches for arbitrary sub-strings rather than terms.
Performance tips
When possible, use contains_cs - a case-sensitive version of the operator.
If you’re looking for a term, use has for faster results.
Syntax
T | where col contains_cs (string)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input whose records are to be filtered. |
| col | string | ✔️ | The name of the column to check for string. |
| string | string | ✔️ | The case-sensitive string by which to filter the data. |
Returns
Rows in T for which string is in col.
Example
StormEvents
| summarize event_count=count() by State
| where State contains "enn"
| where event_count > 10
| project State, event_count
| render table
Output
| State | event_count |
|---|---|
| PENNSYLVANIA | 1687 |
| TENNESSEE | 1125 |
7.13 - The case-insensitive endswith string operator
Filters a record set for data with a case-insensitive ending string.
Performance tips
For faster results, use the case-sensitive version of an operator. For example, use endswith_cs instead of endswith.
Syntax
T | where col endswith (expression)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input whose records are to be filtered. |
| col | string | ✔️ | The column to filter. |
| expression | string | ✔️ | The expression used to filter. |
Returns
Rows in T for which the predicate is true.
Example
StormEvents
| summarize Events=count() by State
| where State endswith "sas"
| where Events > 10
| project State, Events
Output
| State | Events |
|---|---|
| KANSAS | 3166 |
| ARKANSAS | 1028 |
7.14 - The case-insensitive has string operator
Filters a record set for data with a case-insensitive string. has searches for indexed terms, where an indexed term is three or more characters. If your term is fewer than three characters, the query scans the values in the column, which is slower than looking up the term in the term index.
Performance tips
When possible, use the case-sensitive has_cs.
Syntax
T | where Column has (Expression)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input whose records are to be filtered. |
| Column | string | ✔️ | The column used to filter the records. |
| Expression | scalar or tabular | ✔️ | An expression for which to search. If the value is a tabular expression and has multiple columns, the first column is used. |
Returns
Rows in T for which the predicate is true.
Example
StormEvents
| summarize event_count=count() by State
| where State has "New"
| where event_count > 10
| project State, event_count
Output
| State | event_count |
|---|---|
| NEW YORK | 1,750 |
| NEW JERSEY | 1,044 |
| NEW MEXICO | 527 |
| NEW HAMPSHIRE | 394 |
7.15 - The case-insensitive has_all string operator
Filters a record set for data with one or more case-insensitive search strings. has_all searches for indexed terms, where an indexed term is three or more characters. If your term is fewer than three characters, the query scans the values in the column, which is slower than looking up the term in the term index.
For more information about other operators and to determine which operator is most appropriate for your query, see datatype string operators.
Syntax
T | where col has_all (expression, … )
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input to filter. |
| col | string | ✔️ | The column by which to filter. |
| expression | scalar or tabular | ✔️ | An expression that specifies the values for which to search. Each expression can be a scalar value or a tabular expression that produces a set of values. If a tabular expression has multiple columns, the first column is used. The search will consider up to 256 distinct values. |
Returns
Rows in T for which the predicate is true.
Examples
Set of scalars
The following query shows how to use has_all with a comma-separated set of scalar values.
StormEvents
| where EpisodeNarrative has_all ("cold", "strong", "afternoon", "hail")
| summarize Count=count() by EventType
| top 3 by Count
Output
| EventType | Count |
|---|---|
| Thunderstorm Wind | 517 |
| Hail | 392 |
| Flash Flood | 24 |
Dynamic array
The same result can be achieved using a dynamic array notation.
StormEvents
| where EpisodeNarrative has_all (dynamic(["cold", "strong", "afternoon", "hail"]))
| summarize Count=count() by EventType
| top 3 by Count
Output
| EventType | Count |
|---|---|
| Thunderstorm Wind | 517 |
| Hail | 392 |
| Flash Flood | 24 |
The same query can also be written with a let statement.
let criteria = dynamic(["cold", "strong", "afternoon", "hail"]);
StormEvents
| where EpisodeNarrative has_all (criteria)
| summarize Count=count() by EventType
| top 3 by Count
| EventType | Count |
|---|---|
| Thunderstorm Wind | 517 |
| Hail | 392 |
| Flash Flood | 24 |
7.16 - The case-insensitive has_any string operator
Filters a record set for data with any set of case-insensitive strings. has_any searches for indexed terms, where an indexed term is three or more characters. If your term is fewer than three characters, the query scans the values in the column, which is slower than looking up the term in the term index.
For more information about other operators and to determine which operator is most appropriate for your query, see datatype string operators.
Performance tips
Syntax
T | where col has_any (expression, … )
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input to filter. |
| col | string | ✔️ | The column by which to filter. |
| expression | scalar or tabular | ✔️ | An expression that specifies the values for which to search. Each expression can be a scalar value or a tabular expression that produces a set of values. If a tabular expression has multiple columns, the first column is used. The search will consider up to 10,000 distinct values. |
Returns
Rows in T for which the predicate is true.
Examples
List of scalars
The following query shows how to use has_any with a comma-separated list of scalar values.
StormEvents
| where State has_any ("CAROLINA", "DAKOTA", "NEW")
| summarize count() by State
Output
| State | count_ |
|---|---|
| NEW YORK | 1750 |
| NORTH CAROLINA | 1721 |
| SOUTH DAKOTA | 1567 |
| NEW JERSEY | 1044 |
| SOUTH CAROLINA | 915 |
| NORTH DAKOTA | 905 |
| NEW MEXICO | 527 |
| NEW HAMPSHIRE | 394 |
Dynamic array
The following query shows how to use has_any with a dynamic array.
StormEvents
| where State has_any (dynamic(['south', 'north']))
| summarize count() by State
Output
| State | count_ |
|---|---|
| NORTH CAROLINA | 1721 |
| SOUTH DAKOTA | 1567 |
| SOUTH CAROLINA | 915 |
| NORTH DAKOTA | 905 |
| ATLANTIC SOUTH | 193 |
| ATLANTIC NORTH | 188 |
The same query can also be written with a let statement.
let areas = dynamic(['south', 'north']);
StormEvents
| where State has_any (areas)
| summarize count() by State
Output
| State | count_ |
|---|---|
| NORTH CAROLINA | 1721 |
| SOUTH DAKOTA | 1567 |
| SOUTH CAROLINA | 915 |
| NORTH DAKOTA | 905 |
| ATLANTIC SOUTH | 193 |
| ATLANTIC NORTH | 188 |
Tabular expression
The following query shows how to use has_any with an inline tabular expression. Notice that an inline tabular expression must be enclosed with double parentheses.
StormEvents
| where State has_any ((PopulationData | where Population > 5000000 | project State))
| summarize count() by State
Output
| State | count_ |
|---|---|
| TEXAS | 4701 |
| ILLINOIS | 2022 |
| MISSOURI | 2016 |
| GEORGIA | 1983 |
| MINNESOTA | 1881 |
| … | … |
The same query can also be written with a let statement. Notice that the double parentheses as provided in the last example aren’t necessary in this case.
let large_states = PopulationData | where Population > 5000000 | project State;
StormEvents
| where State has_any (large_states)
| summarize count() by State
Output
| State | count_ |
|---|---|
| TEXAS | 4701 |
| ILLINOIS | 2022 |
| MISSOURI | 2016 |
| GEORGIA | 1983 |
| MINNESOTA | 1881 |
| … | … |
|…|…|
7.17 - The case-insensitive hasprefix string operator
Filters a record set for data with a case-insensitive starting string.
For best performance, use strings of three characters or more. hasprefix searches for indexed terms, where a term is three or more characters. If your term is fewer than three characters, the query scans the values in the column, which is slower than looking up the term in the term index.
Performance tips
When possible, use the case-sensitive hasprefix_cs.
Syntax
T | where Column hasprefix (Expression)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input whose records are to be filtered. |
| Column | string | ✔️ | The column used to filter. |
| Expression | string | ✔️ | The expression for which to search. |
Returns
Rows in T for which the predicate is true.
Example
StormEvents
| summarize event_count=count() by State
| where State hasprefix "la"
| project State, event_count
| State | event_count |
|---|---|
| LAKE MICHIGAN | 182 |
| LAKE HURON | 63 |
| LAKE SUPERIOR | 34 |
| LAKE ST CLAIR | 32 |
| LAKE ERIE | 27 |
| LAKE ONTARIO | 8 |
7.18 - The case-insensitive hassuffix string operator
Filters a record set for data with a case-insensitive ending string. hassuffix returns true if there is a term inside the filtered string column ending with the specified string expression.
Performance tips
When possible, use the case-sensitive hassuffix_cs.
Syntax
T | where Column hassuffix (Expression)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | The tabular input whose records are to be filtered. | |
| Column | string | The column by which to filter. | |
| Expression | scalar | The scalar or literal expression for which to search. |
Returns
Rows in T for which the predicate is true.
Example
StormEvents
| summarize event_count=count() by State
| where State hassuffix "o"
| project State, event_count
Output
| State | event_count |
|---|---|
| COLORADO | 1654 |
| OHIO | 1233 |
| GULF OF MEXICO | 577 |
| NEW MEXICO | 527 |
| IDAHO | 247 |
| PUERTO RICO | 192 |
| LAKE ONTARIO | 8 |
7.19 - The case-insensitive in~ string operator
Filters a record set for data with a case-insensitive string.
Performance tips
When possible, use the case-sensitive in.
Syntax
T | where col in~ (expression, … )
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input to filter. |
| col | string | ✔️ | The column by which to filter. |
| expression | scalar or tabular | ✔️ | An expression that specifies the values for which to search. Each expression can be a scalar value or a tabular expression that produces a set of values. If a tabular expression has multiple columns, the first column is used. The search will consider up to 1,000,000 distinct values. |
Returns
Rows in T for which the predicate is true.
Examples
List of scalars
The following query shows how to use in~ with a comma-separated list of scalar values.
StormEvents
| where State in~ ("FLORIDA", "georgia", "NEW YORK")
| count
Output
| Count |
|---|
| 4775 |
Dynamic array
The following query shows how to use in~ with a dynamic array.
StormEvents
| where State in~ (dynamic(["FLORIDA", "georgia", "NEW YORK"]))
| count
Output
| Count |
|---|
| 4775 |
The same query can also be written with a let statement.
let states = dynamic(["FLORIDA", "georgia", "NEW YORK"]);
StormEvents
| where State has_any (states)
| summarize count() by State
Output
| Count |
|---|
| 4775 |
Tabular expression
The following query shows how to use in~ with an inline tabular expression. Notice that an inline tabular expression must be enclosed with double parentheses.
StormEvents
| where State in~ (PopulationData | where Population > 5000000 | project State)
| summarize count() by State
Output
| State | count_ |
|---|---|
| TEXAS | 4701 |
| ILLINOIS | 2022 |
| MISSOURI | 2016 |
| GEORGIA | 1983 |
| MINNESOTA | 1881 |
| … | … |
The same query can also be written with a let statement. Notice that the double parentheses as provided in the last example aren’t necessary in this case.
let large_states = PopulationData | where Population > 5000000 | project State;
StormEvents
| where State in~ (large_states)
| summarize count() by State
Output
| State | count_ |
|---|---|
| TEXAS | 4701 |
| ILLINOIS | 2022 |
| MISSOURI | 2016 |
| GEORGIA | 1983 |
| MINNESOTA | 1881 |
| … | … |
7.20 - The case-insensitive startswith string operator
Filters a record set for data with a case-insensitive string starting sequence.
Performance tips
When possible, use the case-sensitive startswith_cs.
Syntax
T | where col startswith (expression)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input to filter. |
| col | string | ✔️ | The column used to filter. |
| expression | string | ✔️ | The expression by which to filter. |
Returns
Rows in T for which the predicate is true.
Example
StormEvents
| summarize event_count=count() by State
| where State startswith "Lo"
| where event_count > 10
| project State, event_count
Output
| State | event_count |
|---|---|
| LOUISIANA | 463 |
7.21 - The case-sensitive != (not equals) string operator
Filters a record set for data that doesn’t match a case-sensitive string.
The following table provides a comparison of the == (equals) operators:
| Operator | Description | Case-Sensitive | Example (yields true) |
|---|---|---|---|
== | Equals | Yes | "aBc" == "aBc" |
!= | Not equals | Yes | "abc" != "ABC" |
=~ | Equals | No | "abc" =~ "ABC" |
!~ | Not equals | No | "aBc" !~ "xyz" |
For more information about other operators and to determine which operator is most appropriate for your query, see datatype string operators.
Performance tips
Syntax
T | where column != (expression)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input whose records are to be filtered. |
| column | string | ✔️ | The column by which to filter. |
| expression | scalar | ✔️ | The scalar or literal expression for which to search. |
Returns
Rows in T for which the predicate is true.
Example
StormEvents
| summarize event_count=count() by State
| where (State != "FLORIDA") and (event_count > 4000)
| project State, event_count
Output
| State | event_count |
|---|---|
| TEXAS | 4,701 |
7.22 - The case-sensitive !contains_cs string operator
Filters a record set for data that doesn’t include a case-sensitive string. !contains_cs searches for characters rather than terms of three or more characters. The query scans the values in the column, which is slower than looking up a term in a term index.
Performance tips
If you’re looking for a term, use !has_cs for faster results.
Syntax
Case-sensitive syntax
T | where Column !contains_cs (Expression)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input whose records are to be filtered. |
| Column | string | ✔️ | The column by which to filter. |
| Expression | scalar | ✔️ | The scalar or literal expression for which to search. |
Returns
Rows in T for which the predicate is true.
Examples
StormEvents
| summarize event_count=count() by State
| where State !contains_cs "AS"
| count
Output
| Count |
|---|
| 59 |
StormEvents
| summarize event_count=count() by State
| where State !contains_cs "TEX"
| where event_count > 3000
| project State, event_count
Output
| State | event_count |
|---|---|
| KANSAS | 3,166 |
7.23 - The case-sensitive !endswith_cs string operator
Filters a record set for data that doesn’t contain a case-insensitive ending string.
Performance tips
Syntax
T | where col !endswith_cs (expression)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input whose records are to be filtered. |
| col | string | ✔️ | The column to filter. |
| expression | string | ✔️ | The expression used to filter. |
Returns
Rows in T for which the predicate is true.
Example
StormEvents
| summarize Events=count() by State
| where State !endswith_cs "A"
The following table only shows the first 10 results. To see the full output, run the query.
| State | Events |
|---|---|
| TEXAS | 4701 |
| KANSAS | 3166 |
| ILLINOIS | 2022 |
| MISSOURI | 2016 |
| WISCONSIN | 1850 |
| NEW YORK | 1750 |
| COLORADO | 1654 |
| MICHIGAN | 1637 |
| KENTUCKY | 1391 |
| OHIO | 1233 |
7.24 - The case-sensitive !has_cs string operator
Filters a record set for data that doesn’t have a matching case-sensitive string. !has_cs searches for indexed terms, where an indexed term is three or more characters. If your term is fewer than three characters, the query scans the values in the column, which is slower than looking up the term in the term index.
Performance tips
Syntax
T | where column !has_cs (expression)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input whose records are to be filtered. |
| column | string | ✔️ | The column by which to filter. |
| expression | scalar | ✔️ | The scalar or literal expression for which to search. |
Returns
Rows in T for which the predicate is true.
Example
StormEvents
| summarize event_count=count() by State
| where State !has_cs "new"
| count
Output
| Count |
|---|
| 67 |
7.25 - The case-sensitive !hasprefix_cs string operator
Filters a record set for data that doesn’t have a case-sensitive starting string. !hasprefix_cs searches for indexed terms, where an indexed term is three or more characters. If your term is fewer than three characters, the query scans the values in the column, which is slower than looking up the term in the term index.
| Operator | Description | Case-Sensitive | Example (yields true) |
|---|---|---|---|
hasprefix | RHS is a term prefix in LHS | No | "North America" hasprefix "ame" |
!hasprefix | RHS isn’t a term prefix in LHS | No | "North America" !hasprefix "mer" |
hasprefix_cs | RHS is a term prefix in LHS | Yes | "North America" hasprefix_cs "Ame" |
!hasprefix_cs | RHS isn’t a term prefix in LHS | Yes | "North America" !hasprefix_cs "CA" |
For more information about other operators and to determine which operator is most appropriate for your query, see datatype string operators.
Performance tips
Syntax
T | where column !hasprefix_cs (expression)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input whose records are to be filtered. |
| column | string | ✔️ | The column by which to filter. |
| expression | scalar | ✔️ | The scalar or literal expression for which to search. |
Returns
Rows in T for which the predicate is true.
Example
StormEvents
| summarize event_count=count() by State
| where State !hasprefix_cs "P"
| count
Output
| Count |
|---|
| 64 |
7.26 - The case-sensitive !hassuffix_cs string operator
Filters a record set for data that doesn’t have a case-sensitive ending string. !hassuffix_cs returns true if there is no term inside string column ending with the specified string expression.
Performance tips
Syntax
T | where column !hassuffix_cs (expression)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input whose records are to be filtered. |
| column | string | ✔️ | The column by which to filter. |
| expression | scalar | ✔️ | The scalar or literal expression for which to search. |
Returns
Rows in T for which the predicate is true.
Example
StormEvents
| summarize event_count=count() by State
| where State !hassuffix_cs "AS"
| where event_count > 2000
| project State, event_count
Output
| State | event_count |
|---|---|
| IOWA | 2337 |
| ILLINOIS | 2022 |
| MISSOURI | 2016 |
7.27 - The case-sensitive !in string operator
Filters a record set for data without a case-sensitive string.
Performance tips
Syntax
T | where col !in (expression, … )
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input to filter. |
| col | string | ✔️ | The column by which to filter. |
| expression | scalar or tabular | ✔️ | An expression that specifies the values for which to search. Each expression can be a scalar value or a tabular expression that produces a set of values. If a tabular expression has multiple columns, the first column is used. The search will consider up to 1,000,000 distinct values. |
Returns
Rows in T for which the predicate is true.
Example
List of scalars
The following query shows how to use !in with a comma-separated list of scalar values.
StormEvents
| where State !in ("FLORIDA", "GEORGIA", "NEW YORK")
| count
Output
| Count |
|---|
| 54291 |
Dynamic array
The following query shows how to use !in with a dynamic array.
StormEvents
| where State !in (dynamic(["FLORIDA", "GEORGIA", "NEW YORK"]))
| count
Output
| Count |
|---|
| 54291 |
The same query can also be written with a let statement.
let states = dynamic(["FLORIDA", "GEORGIA", "NEW YORK"]);
StormEvents
| where State !in (states)
| summarize count() by State
Output
| Count |
|---|
| 54291 |
Tabular expression
The following query shows how to use !in with an inline tabular expression. Notice that an inline tabular expression must be enclosed with double parentheses.
StormEvents
| where State !in (PopulationData | where Population > 5000000 | project State)
| summarize count() by State
Output
| State | Count |
|---|---|
| KANSAS | 3166 |
| IOWA | 2337 |
| NEBRASKA | 1766 |
| OKLAHOMA | 1716 |
| SOUTH DAKOTA | 1567 |
| … | … |
The same query can also be written with a let statement. Notice that the double parentheses as provided in the last example aren’t necessary in this case.
let large_states = PopulationData | where Population > 5000000 | project State;
StormEvents
| where State !in (large_states)
| summarize count() by State
Output
| State | Count |
|---|---|
| KANSAS | 3166 |
| IOWA | 2337 |
| NEBRASKA | 1766 |
| OKLAHOMA | 1716 |
| SOUTH DAKOTA | 1567 |
| … | … |
7.28 - The case-sensitive !startswith_cs string operator
Filters a record set for data that doesn’t start with a case-sensitive search string.
Performance tips
Syntax
T | where column !startswith_cs (expression)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input whose records are to be filtered. |
| column | string | ✔️ | The column by which to filter. |
| expression | scalar | ✔️ | The scalar or literal expression for which to search. |
Returns
Rows in T for which the predicate is true.
Example
StormEvents
| summarize event_count=count() by State
| where State !startswith_cs "I"
| where event_count > 2000
| project State, event_count
Output
| State | event_count |
|---|---|
| TEXAS | 4701 |
| KANSAS | 3166 |
| MISSOURI | 2016 |
7.29 - The case-sensitive == (equals) string operator
Filters a record set for data matching a case-sensitive string.
The following table provides a comparison of the == operators:
| Operator | Description | Case-Sensitive | Example (yields true) |
|---|---|---|---|
== | Equals | Yes | "aBc" == "aBc" |
!= | Not equals | Yes | "abc" != "ABC" |
=~ | Equals | No | "abc" =~ "ABC" |
!~ | Not equals | No | "aBc" !~ "xyz" |
For more information about other operators and to determine which operator is most appropriate for your query, see datatype string operators.
Performance tips
Syntax
T | where col == (expression, … )
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input whose records are to be filtered. |
| col | string | ✔️ | The column to filter. |
| expression | string | ✔️ | The expression used to filter. |
Returns
Rows in T for which the predicate is true.
Example
StormEvents
| where State == "kansas"
| count
| Count |
|---|
| 0 |
StormEvents
| where State == "KANSAS"
| count
| Count |
|---|
| 3,166 |
7.30 - The case-sensitive contains_cs string operator
Filters a record set for data containing a case-sensitive string. contains_cs searches for arbitrary sub-strings rather than terms.
Performance tips
If you’re looking for a term, use has_cs for faster results.
Syntax
T | where col contains_cs (string)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input whose records are to be filtered. |
| col | string | ✔️ | The name of the column to check for string. |
| string | string | ✔️ | The case-sensitive string by which to filter the data. |
Returns
Rows in T for which string is in col.
Example
StormEvents
| summarize event_count=count() by State
| where State contains_cs "AS"
Output
| Count |
|---|
| 8 |
7.31 - The case-sensitive endswith_cs string operator
Filters a record set for data with a case-sensitive ending string.
Performance tips
Syntax
T | where col endswith_cs (expression)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input whose records are to be filtered. |
| col | string | ✔️ | The column to filter. |
| expression | string | ✔️ | The expression used to filter. |
Returns
Rows in T for which the predicate is true.
Example
StormEvents
| summarize Events = count() by State
| where State endswith_cs "NA"
Output
| State | Events |
|---|---|
| NORTH CAROLINA | 1721 |
| MONTANA | 1230 |
| INDIANA | 1164 |
| SOUTH CAROLINA | 915 |
| LOUISIANA | 463 |
| ARIZONA | 340 |
7.32 - The case-sensitive has_cs string operator
Filters a record set for data with a case-sensitive search string. has_cs searches for indexed terms, where an indexed term is three or more characters. If your term is fewer than three characters, the query scans the values in the column, which is slower than looking up the term in the term index.
Performance tips
Syntax
T | where Column has_cs (Expression)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input whose records are to be filtered. |
| Column | string | ✔️ | The column used to filter the records. |
| Expression | scalar or tabular | ✔️ | An expression for which to search. If the value is a tabular expression and has multiple columns, the first column is used. |
Returns
Rows in T for which the predicate is true.
Example
StormEvents
| summarize event_count=count() by State
| where State has_cs "FLORIDA"
Output
| State | event_count |
|---|---|
| FLORIDA | 1042 |
Since all State values are capitalized, searching for a lowercase string with the same value, such as “florida”, won’t yield any results.
StormEvents
| summarize event_count=count() by State
| where State has_cs "florida"
Output
| State | event_count |
|---|---|
7.33 - The case-sensitive hasprefix_cs string operator
Filters a record set for data with a case-sensitive starting string.
For best performance, use strings of three characters or more. hasprefix_cs searches for indexed terms, where a term is three or more characters. If your term is fewer than three characters, the query scans the values in the column, which is slower than looking up the term in the term index.
Performance tips
Syntax
T | where Column hasprefix_cs (Expression)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input whose records are to be filtered. |
| Column | string | ✔️ | The column used to filter. |
| Expression | string | ✔️ | The expression for which to search. |
Returns
Rows in T for which the predicate is true.
Examples
StormEvents
| summarize event_count=count() by State
| where State hasprefix_cs "P"
| count
| Count |
|---|
| 3 |
StormEvents
| summarize event_count=count() by State
| where State hasprefix_cs "P"
| project State, event_count
| State | event_count |
|---|---|
| PENNSYLVANIA | 1687 |
| PUERTO RICO | 192 |
| E PACIFIC | 10 |
7.34 - The case-sensitive hassuffix_cs string operator
Filters a record set for data with a case-insensitive ending string. hassuffix_cs returns true if there is a term inside the filtered string column ending with the specified string expression.
Performance tips
Syntax
T | where column hassuffix_cs ( expression )
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input whose records are to be filtered. |
| column | string | ✔️ | The column by which to filter. |
| expression | scalar | ✔️ | The scalar or literal expression for which to search. |
Returns
Rows in T for which the predicate is true.
Examples
StormEvents
| summarize event_count=count() by State
| where State hassuffix_cs "AS"
| where event_count > 2000
| project State, event_count
Output
| State | event_count |
|---|---|
| TEXAS | 4701 |
| KANSAS | 3166 |
7.35 - The case-sensitive in string operator
Filters a record set for data with a case-sensitive string.
Performance tips
Syntax
T | where col in (expression, … )
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input to filter. |
| col | string | ✔️ | The column by which to filter. |
| expression | scalar or tabular | ✔️ | An expression that specifies the values for which to search. Each expression can be a scalar value or a tabular expression that produces a set of values. If a tabular expression has multiple columns, the first column is used. The search considers up to 1,000,000 distinct values. |
Returns
Rows in T for which the predicate is true.
Examples
List of scalars
The following query shows how to use in with a list of scalar values.
StormEvents
| where State in ("FLORIDA", "GEORGIA", "NEW YORK")
| count
Output
| Count |
|---|
| 4775 |
Dynamic array
The following query shows how to use in with a dynamic array.
let states = dynamic(['FLORIDA', 'ATLANTIC SOUTH', 'GEORGIA']);
StormEvents
| where State in (states)
| count
Output
| Count |
|---|
| 3218 |
Tabular expression
The following query shows how to use in with a tabular expression.
let Top_5_States =
StormEvents
| summarize count() by State
| top 5 by count_;
StormEvents
| where State in (Top_5_States)
| count
The same query can be written with an inline tabular expression statement.
StormEvents
| where State in (
StormEvents
| summarize count() by State
| top 5 by count_
)
| count
Output
| Count |
|---|
| 14242 |
Top with other example
The following example identifies the top five states with lightning events and uses the iff() function and in operator to classify lightning events by the top five states, labeled by state name, and all others labeled as “Other.”
let Lightning_By_State = materialize(StormEvents
| summarize lightning_events = countif(EventType == 'Lightning') by State);
let Top_5_States = Lightning_By_State | top 5 by lightning_events | project State;
Lightning_By_State
| extend State = iff(State in (Top_5_States), State, "Other")
| summarize sum(lightning_events) by State
Output
| State | sum_lightning_events |
|---|---|
| ALABAMA | 29 |
| WISCONSIN | 31 |
| TEXAS | 55 |
| FLORIDA | 85 |
| GEORGIA | 106 |
| Other | 415 |
Use a static list returned by a function
The following example counts events from the StormEvents table based on a predefined list of interesting states. The interesting states are defined by the InterestingStates() function.
StormEvents
| where State in (InterestingStates())
| count
Output
| Count |
|---|
| 4775 |
The following query displays which states are considered interesting by the InterestingStates() function.
.show function InterestingStates
Output
| Name | Parameters | Body | Folder | DocString |
|---|---|---|---|---|
| InterestingStates | () | { dynamic([“WASHINGTON”, “FLORIDA”, “GEORGIA”, “NEW YORK”]) } |
Related content
7.36 - The case-sensitive startswith string operator
Filters a record set for data with a case-sensitive string starting sequence.
Performance tips
Syntax
T | where col startswith_cs (expression)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input to filter. |
| col | string | ✔️ | The column used to filter. |
| expression | string | ✔️ | The expression by which to filter. |
Returns
Rows in T for which the predicate is true.
Example
StormEvents
| summarize event_count=count() by State
| where State startswith_cs "I"
| where event_count > 2000
| project State, event_count
Output
| State | event_count |
|---|---|
| IOWA | 2337 |
| ILLINOIS | 2022 |