This is the multi-page printable view of this section. Click here to print.
String operators
- 1: matches regex operator
- 2: String operators
- 3: The case-insensitive !~ (not equals) string operator
- 4: The case-insensitive !contains string operator
- 5: The case-insensitive !endswith string operator
- 6: The case-insensitive !has string operators
- 7: The case-insensitive !hasprefix string operator
- 8: The case-insensitive !hassuffix string operator
- 9: The case-insensitive !in~ string operator
- 10: The case-insensitive !startswith string operators
- 11: The case-insensitive =~ (equals) string operator
- 12: The case-insensitive contains string operator
- 13: The case-insensitive endswith string operator
- 14: The case-insensitive has string operator
- 15: The case-insensitive has_all string operator
- 16: The case-insensitive has_any string operator
- 17: The case-insensitive hasprefix string operator
- 18: The case-insensitive hassuffix string operator
- 19: The case-insensitive in~ string operator
- 20: The case-insensitive startswith string operator
- 21: The case-sensitive != (not equals) string operator
- 22: The case-sensitive !contains_cs string operator
- 23: The case-sensitive !endswith_cs string operator
- 24: The case-sensitive !has_cs string operator
- 25: The case-sensitive !hasprefix_cs string operator
- 26: The case-sensitive !hassuffix_cs string operator
- 27: The case-sensitive !in string operator
- 28: The case-sensitive !startswith_cs string operator
- 29: The case-sensitive == (equals) string operator
- 30: The case-sensitive contains_cs string operator
- 31: The case-sensitive endswith_cs string operator
- 32: The case-sensitive has_cs string operator
- 33: The case-sensitive hasprefix_cs string operator
- 34: The case-sensitive hassuffix_cs string operator
- 35: The case-sensitive in string operator
- 36: The case-sensitive startswith string operator
1 - matches regex operator
Filters a record set based on a case-sensitive regular expression value.
For more information about other operators and to determine which operator is most appropriate for your query, see datatype string operators.
Syntax
T | where col matches regex (expression)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input whose records are to be filtered. |
| col | string | ✔️ | The column by which to filter. |
| expression | scalar | ✔️ | The regular expression /Query/Data%20types/real.md used to filter. The maximum number of regex groups is 16. For more information about the regex syntax supported by Kusto, see regular expression. |
Returns
Rows in T for which the predicate is true.
Example
StormEvents
| summarize event_count=count() by State
| where State matches regex "K.*S"
| where event_count > 10
| project State, event_count
Output
| State | event_count |
|---|---|
| KANSAS | 3166 |
| ARKANSAS | 1028 |
| LAKE SUPERIOR | 34 |
| LAKE ST CLAIR | 32 |
2 - String operators
Kusto Query Language (KQL) offers various query operators for searching string data types. The following article describes how string terms are indexed, lists the string query operators, and gives tips for optimizing performance.
Understanding string terms
Kusto indexes all columns, including columns of type string. Multiple indexes are built for such columns, depending on the actual data. These indexes aren’t directly exposed, but are used in queries with the string operators that have has as part of their name, such as has, !has, hasprefix, !hasprefix. The semantics of these operators are dictated by the way the column is encoded. Instead of doing a “plain” substring match, these operators match terms.
What is a term?
By default, each string value is broken into maximal sequences of alphanumeric characters, and each of those sequences is made into a term.
For example, in the following string, the terms are Kusto, KustoExplorerQueryRun, and the following substrings: ad67d136, c1db, 4f9f, 88ef, d94f3b6b0b5a.
Kusto: ad67d136-c1db-4f9f-88ef-d94f3b6b0b5a;KustoExplorerQueryRun
Kusto builds a term index consisting of all terms that are three characters or more, and this index is used by string operators such as has, !has, and so on. If the query looks for a term that is smaller than three characters, or uses a contains operator, then the query will revert to scanning the values in the column. Scanning is much slower than looking up the term in the term index.
Operators on strings
The following abbreviations are used in this article:
- RHS = right hand side of the expression
- LHS = left hand side of the expression
Operators with an _cs suffix are case sensitive.
| Operator | Description | Case-Sensitive | Example (yields true) |
|---|---|---|---|
== | Equals | Yes | "aBc" == "aBc" |
!= | Not equals | Yes | "abc" != "ABC" |
=~ | Equals | No | "abc" =~ "ABC" |
!~ | Not equals | No | "aBc" !~ "xyz" |
contains | RHS occurs as a subsequence of LHS | No | "FabriKam" contains "BRik" |
!contains | RHS doesn’t occur in LHS | No | "Fabrikam" !contains "xyz" |
contains_cs | RHS occurs as a subsequence of LHS | Yes | "FabriKam" contains_cs "Kam" |
!contains_cs | RHS doesn’t occur in LHS | Yes | "Fabrikam" !contains_cs "Kam" |
endswith | RHS is a closing subsequence of LHS | No | "Fabrikam" endswith "Kam" |
!endswith | RHS isn’t a closing subsequence of LHS | No | "Fabrikam" !endswith "brik" |
endswith_cs | RHS is a closing subsequence of LHS | Yes | "Fabrikam" endswith_cs "kam" |
!endswith_cs | RHS isn’t a closing subsequence of LHS | Yes | "Fabrikam" !endswith_cs "brik" |
has | Right-hand-side (RHS) is a whole term in left-hand-side (LHS) | No | "North America" has "america" |
!has | RHS isn’t a full term in LHS | No | "North America" !has "amer" |
has_all | Same as has but works on all of the elements | No | "North and South America" has_all("south", "north") |
has_any | Same as has but works on any of the elements | No | "North America" has_any("south", "north") |
has_cs | RHS is a whole term in LHS | Yes | "North America" has_cs "America" |
!has_cs | RHS isn’t a full term in LHS | Yes | "North America" !has_cs "amer" |
hasprefix | RHS is a term prefix in LHS | No | "North America" hasprefix "ame" |
!hasprefix | RHS isn’t a term prefix in LHS | No | "North America" !hasprefix "mer" |
hasprefix_cs | RHS is a term prefix in LHS | Yes | "North America" hasprefix_cs "Ame" |
!hasprefix_cs | RHS isn’t a term prefix in LHS | Yes | "North America" !hasprefix_cs "CA" |
hassuffix | RHS is a term suffix in LHS | No | "North America" hassuffix "ica" |
!hassuffix | RHS isn’t a term suffix in LHS | No | "North America" !hassuffix "americ" |
hassuffix_cs | RHS is a term suffix in LHS | Yes | "North America" hassuffix_cs "ica" |
!hassuffix_cs | RHS isn’t a term suffix in LHS | Yes | "North America" !hassuffix_cs "icA" |
in | Equals to any of the elements | Yes | "abc" in ("123", "345", "abc") |
!in | Not equals to any of the elements | Yes | "bca" !in ("123", "345", "abc") |
in~ | Equals to any of the elements | No | "Abc" in~ ("123", "345", "abc") |
!in~ | Not equals to any of the elements | No | "bCa" !in~ ("123", "345", "ABC") |
matches regex | LHS contains a match for RHS | Yes | "Fabrikam" matches regex "b.*k" |
startswith | RHS is an initial subsequence of LHS | No | "Fabrikam" startswith "fab" |
!startswith | RHS isn’t an initial subsequence of LHS | No | "Fabrikam" !startswith "kam" |
startswith_cs | RHS is an initial subsequence of LHS | Yes | "Fabrikam" startswith_cs "Fab" |
!startswith_cs | RHS isn’t an initial subsequence of LHS | Yes | "Fabrikam" !startswith_cs "fab" |
Performance tips
For better performance, when there are two operators that do the same task, use the case-sensitive one. For example:
- Use
==, not=~ - Use
in, notin~ - Use
hassuffix_cs, nothassuffix
For faster results, if you’re testing for the presence of a symbol or alphanumeric word that is bound by non-alphanumeric characters, or the start or end of a field, use has or in.
has works faster than contains, startswith, or endswith.
To search for IPv4 addresses or their prefixes, use one of special operators on IPv4 addresses, which are optimized for this purpose.
For more information, see Query best practices.
For example, the first of these queries will run faster:
StormEvents | where State has "North" | count;
StormEvents | where State contains "nor" | count
Operators on IPv4 addresses
The following group of operators provide index accelerated search on IPv4 addresses or their prefixes.
| Operator | Description | Example (yields true) |
|---|---|---|
| has_ipv4 | LHS contains IPv4 address represented by RHS | has_ipv4("Source address is 10.1.2.3:1234", "10.1.2.3") |
| has_ipv4_prefix | LHS contains an IPv4 address that matches a prefix represented by RHS | has_ipv4_prefix("Source address is 10.1.2.3:1234", "10.1.2.") |
| has_any_ipv4 | LHS contains one of IPv4 addresses provided by RHS | has_any_ipv4("Source address is 10.1.2.3:1234", dynamic(["10.1.2.3", "127.0.0.1"])) |
| has_any_ipv4_prefix | LHS contains an IPv4 address that matches one of prefixes provided by RHS | has_any_ipv4_prefix("Source address is 10.1.2.3:1234", dynamic(["10.1.2.", "127.0.0."])) |
3 - The case-insensitive !~ (not equals) string operator
Filters a record set for data that doesn’t match a case-insensitive string.
The following table provides a comparison of the == (equals) operators:
| Operator | Description | Case-Sensitive | Example (yields true) |
|---|---|---|---|
== | Equals | Yes | "aBc" == "aBc" |
!= | Not equals | Yes | "abc" != "ABC" |
=~ | Equals | No | "abc" =~ "ABC" |
!~ | Not equals | No | "aBc" !~ "xyz" |
For more information about other operators and to determine which operator is most appropriate for your query, see datatype string operators.
Performance tips
When possible, use the case-sensitive !=.
Syntax
T | where column !~ (expression)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input whose records are to be filtered. |
| column | string | ✔️ | The column by which to filter. |
| expression | scalar | ✔️ | The scalar or literal expression for which to search. |
Returns
Rows in T for which the predicate is true.
Example
StormEvents
| summarize event_count=count() by State
| where (State !~ "texas") and (event_count > 3000)
| project State, event_count
Output
| State | event_count |
|---|---|
| KANSAS | 3,166 |
4 - The case-insensitive !contains string operator
Filters a record set for data that doesn’t include a case-sensitive string. !contains searches for characters rather than terms of three or more characters. The query scans the values in the column, which is slower than looking up a term in a term index.
Performance tips
When possible, use the case-sensitive !contains_cs.
Use !has if you’re looking for a term.
Syntax
Case insensitive syntax
T | where Column !contains (Expression)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input whose records are to be filtered. |
| Column | string | ✔️ | The column by which to filter. |
| Expression | scalar | ✔️ | The scalar or literal expression for which to search. |
Returns
Rows in T for which the predicate is true.
Example
StormEvents
| summarize event_count=count() by State
| where State !contains "kan"
| where event_count > 3000
| project State, event_count
Output
| State | event_count |
|---|---|
| TEXAS | 4701 |
5 - The case-insensitive !endswith string operator
Filters a record set for data that excludes a case-insensitive ending string.
Performance tips
When possible, use the case-sensitive !endswith_cs.
Syntax
T | where col !endswith (expression)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input whose records are to be filtered. |
| col | string | ✔️ | The column to filter. |
| expression | string | ✔️ | The expression used to filter. |
Returns
Rows in T for which the predicate is true.
Example
StormEvents
| summarize Events=count() by State
| where State !endswith "is"
| where Events > 2000
| project State, Events
Output
| State | Events |
|---|---|
| TEXAS | 4701 |
| KANSAS | 3166 |
| IOWA | 2337 |
| MISSOURI | 2016 |
6 - The case-insensitive !has string operators
Filters a record set for data that doesn’t have a matching case-insensitive string. !has searches for indexed terms, where an indexed term is three or more characters. If your term is fewer than three characters, the query scans the values in the column, which is slower than looking up the term in the term index.
Performance tips
When possible, use the case-sensitive !has_cs.
Syntax
T | where column !has (expression)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input whose records are to be filtered. |
| column | string | ✔️ | The column by which to filter. |
| expression | scalar | ✔️ | The scalar or literal expression for which to search. |
Returns
Rows in T for which the predicate is true.
Example
StormEvents
| summarize event_count=count() by State
| where State !has "NEW"
| where event_count > 3000
| project State, event_count
Output
| State | event_count |
|---|---|
| TEXAS | 4,701 |
| KANSAS | 3,166 |
7 - The case-insensitive !hasprefix string operator
Filters a record set for data that doesn’t include a case-insensitive starting string.
For best performance, use strings of three characters or more. !hasprefix searches for indexed terms, where an indexed term is three or more characters. If your term is fewer than three characters, the query scans the values in the column, which is slower than looking up the term in the term index.
Performance tips
When possible, use the case-sensitive !hasprefix_cs.
Syntax
T | where Column !hasprefix (Expression)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input whose records are to be filtered. |
| Column | string | ✔️ | The column used to filter. |
| Expression | string | ✔️ | The expression for which to search. |
Returns
Rows in T for which the predicate is true.
Example
StormEvents
| summarize event_count=count() by State
| where State !hasprefix "N"
| where event_count > 2000
| project State, event_count
| State | event_count |
|---|---|
| TEXAS | 4701 |
| KANSAS | 3166 |
| IOWA | 2337 |
| ILLINOIS | 2022 |
| MISSOURI | 2016 |
8 - The case-insensitive !hassuffix string operator
Filters a record set for data that doesn’t have a case-insensitive ending string. !hassuffix returns true if there’s no term inside string column ending with the specified string expression.
Performance tips
When possible, use !hassuffix_cs - a case-sensitive version of the operator.
Syntax
T | where column !hassuffix (expression)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input whose records are to be filtered. |
| column | string | ✔️ | The column by which to filter. |
| expression | scalar | ✔️ | The scalar or literal expression for which to search. |
Returns
Rows in T for which the predicate is true.
Example
StormEvents
| summarize event_count=count() by State
| where State !hassuffix "A"
| where event_count > 2000
| project State, event_count
Output
| State | event_count |
|---|---|
| TEXAS | 4701 |
| KANSAS | 3166 |
| ILLINOIS | 2022 |
| MISSOURI | 2016 |
9 - The case-insensitive !in~ string operator
Filters a record set for data without a case-insensitive string.
Performance tips
When possible, use the case-sensitive !in.
Syntax
T | where col !in~ (expression, … )
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input to filter. |
| col | string | ✔️ | The column by which to filter. |
| expression | scalar or tabular | ✔️ | An expression that specifies the values for which to search. Each expression can be a scalar value or a tabular expression that produces a set of values. If a tabular expression has multiple columns, the first column is used. The search will consider up to 1,000,000 distinct values. |
Returns
Rows in T for which the predicate is true.
Example
List of scalars
The following query shows how to use !in~ with a comma-separated list of scalar values.
StormEvents
| where State !in~ ("Florida", "Georgia", "New York")
| count
Output
| Count |
|---|
| 54,291 |
Dynamic array
The following query shows how to use !in~ with a dynamic array.
StormEvents
| where State !in~ (dynamic(["Florida", "Georgia", "New York"]))
| count
Output
| Count |
|---|
| 54291 |
The same query can also be written with a let statement.
let states = dynamic(["Florida", "Georgia", "New York"]);
StormEvents
| where State !in~ (states)
| summarize count() by State
Output
| Count |
|---|
| 54291 |
Tabular expression
The following query shows how to use !in~ with an inline tabular expression. Notice that an inline tabular expression must be enclosed with double parentheses.
StormEvents
| where State !in~ (PopulationData | where Population > 5000000 | project State)
| summarize count() by State
Output
| State | count_ |
|---|---|
| KANSAS | 3166 |
| IOWA | 2337 |
| NEBRASKA | 1766 |
| OKLAHOMA | 1716 |
| SOUTH DAKOTA | 1567 |
| … | … |
The same query can also be written with a let statement. Notice that the double parentheses as provided in the last example aren’t necessary in this case.
let large_states = PopulationData | where Population > 5000000 | project State;
StormEvents
| where State !in~ (large_states)
| summarize count() by State
Output
| State | count_ |
|---|---|
| KANSAS | 3166 |
| IOWA | 2337 |
| NEBRASKA | 1766 |
| OKLAHOMA | 1716 |
| SOUTH DAKOTA | 1567 |
| … | … |
10 - The case-insensitive !startswith string operators
Filters a record set for data that doesn’t start with a case-insensitive search string.
Performance tips
When possible, use the case-sensitive !startswith_cs.
Syntax
T | where column !startswith (expression)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input whose records are to be filtered. |
| column | string | ✔️ | The column by which to filter. |
| expression | scalar | ✔️ | The scalar or literal expression for which to search. |
Returns
Rows in T for which the predicate is true.
Example
StormEvents
| summarize event_count=count() by State
| where State !startswith "i"
| where event_count > 2000
| project State, event_count
Output
| State | event_count |
|---|---|
| TEXAS | 4701 |
| KANSAS | 3166 |
| MISSOURI | 2016 |
11 - The case-insensitive =~ (equals) string operator
Filters a record set for data with a case-insensitive string.
The following table provides a comparison of the == (equals) operators:
| Operator | Description | Case-Sensitive | Example (yields true) |
|---|---|---|---|
== | Equals | Yes | "aBc" == "aBc" |
!= | Not equals | Yes | "abc" != "ABC" |
=~ | Equals | No | "abc" =~ "ABC" |
!~ | Not equals | No | "aBc" !~ "xyz" |
For more information about other operators and to determine which operator is most appropriate for your query, see datatype string operators.
Performance tips
When possible, use == - a case-sensitive version of the operator.
Syntax
T | where col =~ (expression)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input whose records are to be filtered. |
| col | string | ✔️ | The column to filter. |
| expression | string | ✔️ | The expression used to filter. |
Returns
Rows in T for which the predicate is true.
Example
The State values in the StormEvents table are capitalized. The following query matches
columns with the value “KANSAS”.
StormEvents
| where State =~ "kansas"
| project EventId, State
The following table only shows the first 10 results. To see the full output, run the query.
| EventId | State |
|---|---|
| 70787 | KANSAS |
| 43450 | KANSAS |
| 43451 | KANSAS |
| 38844 | KANSAS |
| 18463 | KANSAS |
| 18464 | KANSAS |
| 18495 | KANSAS |
| 43466 | KANSAS |
| 43467 | KANSAS |
| 43470 | KANSAS |
12 - The case-insensitive contains string operator
Filters a record set for data containing a case-insensitive string. contains searches for arbitrary sub-strings rather than terms.
Performance tips
When possible, use contains_cs - a case-sensitive version of the operator.
If you’re looking for a term, use has for faster results.
Syntax
T | where col contains_cs (string)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input whose records are to be filtered. |
| col | string | ✔️ | The name of the column to check for string. |
| string | string | ✔️ | The case-sensitive string by which to filter the data. |
Returns
Rows in T for which string is in col.
Example
StormEvents
| summarize event_count=count() by State
| where State contains "enn"
| where event_count > 10
| project State, event_count
| render table
Output
| State | event_count |
|---|---|
| PENNSYLVANIA | 1687 |
| TENNESSEE | 1125 |
13 - The case-insensitive endswith string operator
Filters a record set for data with a case-insensitive ending string.
Performance tips
For faster results, use the case-sensitive version of an operator. For example, use endswith_cs instead of endswith.
Syntax
T | where col endswith (expression)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input whose records are to be filtered. |
| col | string | ✔️ | The column to filter. |
| expression | string | ✔️ | The expression used to filter. |
Returns
Rows in T for which the predicate is true.
Example
StormEvents
| summarize Events=count() by State
| where State endswith "sas"
| where Events > 10
| project State, Events
Output
| State | Events |
|---|---|
| KANSAS | 3166 |
| ARKANSAS | 1028 |
14 - The case-insensitive has string operator
Filters a record set for data with a case-insensitive string. has searches for indexed terms, where an indexed term is three or more characters. If your term is fewer than three characters, the query scans the values in the column, which is slower than looking up the term in the term index.
Performance tips
When possible, use the case-sensitive has_cs.
Syntax
T | where Column has (Expression)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input whose records are to be filtered. |
| Column | string | ✔️ | The column used to filter the records. |
| Expression | scalar or tabular | ✔️ | An expression for which to search. If the value is a tabular expression and has multiple columns, the first column is used. |
Returns
Rows in T for which the predicate is true.
Example
StormEvents
| summarize event_count=count() by State
| where State has "New"
| where event_count > 10
| project State, event_count
Output
| State | event_count |
|---|---|
| NEW YORK | 1,750 |
| NEW JERSEY | 1,044 |
| NEW MEXICO | 527 |
| NEW HAMPSHIRE | 394 |
15 - The case-insensitive has_all string operator
Filters a record set for data with one or more case-insensitive search strings. has_all searches for indexed terms, where an indexed term is three or more characters. If your term is fewer than three characters, the query scans the values in the column, which is slower than looking up the term in the term index.
For more information about other operators and to determine which operator is most appropriate for your query, see datatype string operators.
Syntax
T | where col has_all (expression, … )
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input to filter. |
| col | string | ✔️ | The column by which to filter. |
| expression | scalar or tabular | ✔️ | An expression that specifies the values for which to search. Each expression can be a scalar value or a tabular expression that produces a set of values. If a tabular expression has multiple columns, the first column is used. The search will consider up to 256 distinct values. |
Returns
Rows in T for which the predicate is true.
Examples
Set of scalars
The following query shows how to use has_all with a comma-separated set of scalar values.
StormEvents
| where EpisodeNarrative has_all ("cold", "strong", "afternoon", "hail")
| summarize Count=count() by EventType
| top 3 by Count
Output
| EventType | Count |
|---|---|
| Thunderstorm Wind | 517 |
| Hail | 392 |
| Flash Flood | 24 |
Dynamic array
The same result can be achieved using a dynamic array notation.
StormEvents
| where EpisodeNarrative has_all (dynamic(["cold", "strong", "afternoon", "hail"]))
| summarize Count=count() by EventType
| top 3 by Count
Output
| EventType | Count |
|---|---|
| Thunderstorm Wind | 517 |
| Hail | 392 |
| Flash Flood | 24 |
The same query can also be written with a let statement.
let criteria = dynamic(["cold", "strong", "afternoon", "hail"]);
StormEvents
| where EpisodeNarrative has_all (criteria)
| summarize Count=count() by EventType
| top 3 by Count
| EventType | Count |
|---|---|
| Thunderstorm Wind | 517 |
| Hail | 392 |
| Flash Flood | 24 |
16 - The case-insensitive has_any string operator
Filters a record set for data with any set of case-insensitive strings. has_any searches for indexed terms, where an indexed term is three or more characters. If your term is fewer than three characters, the query scans the values in the column, which is slower than looking up the term in the term index.
For more information about other operators and to determine which operator is most appropriate for your query, see datatype string operators.
Performance tips
Syntax
T | where col has_any (expression, … )
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input to filter. |
| col | string | ✔️ | The column by which to filter. |
| expression | scalar or tabular | ✔️ | An expression that specifies the values for which to search. Each expression can be a scalar value or a tabular expression that produces a set of values. If a tabular expression has multiple columns, the first column is used. The search will consider up to 10,000 distinct values. |
Returns
Rows in T for which the predicate is true.
Examples
List of scalars
The following query shows how to use has_any with a comma-separated list of scalar values.
StormEvents
| where State has_any ("CAROLINA", "DAKOTA", "NEW")
| summarize count() by State
Output
| State | count_ |
|---|---|
| NEW YORK | 1750 |
| NORTH CAROLINA | 1721 |
| SOUTH DAKOTA | 1567 |
| NEW JERSEY | 1044 |
| SOUTH CAROLINA | 915 |
| NORTH DAKOTA | 905 |
| NEW MEXICO | 527 |
| NEW HAMPSHIRE | 394 |
Dynamic array
The following query shows how to use has_any with a dynamic array.
StormEvents
| where State has_any (dynamic(['south', 'north']))
| summarize count() by State
Output
| State | count_ |
|---|---|
| NORTH CAROLINA | 1721 |
| SOUTH DAKOTA | 1567 |
| SOUTH CAROLINA | 915 |
| NORTH DAKOTA | 905 |
| ATLANTIC SOUTH | 193 |
| ATLANTIC NORTH | 188 |
The same query can also be written with a let statement.
let areas = dynamic(['south', 'north']);
StormEvents
| where State has_any (areas)
| summarize count() by State
Output
| State | count_ |
|---|---|
| NORTH CAROLINA | 1721 |
| SOUTH DAKOTA | 1567 |
| SOUTH CAROLINA | 915 |
| NORTH DAKOTA | 905 |
| ATLANTIC SOUTH | 193 |
| ATLANTIC NORTH | 188 |
Tabular expression
The following query shows how to use has_any with an inline tabular expression. Notice that an inline tabular expression must be enclosed with double parentheses.
StormEvents
| where State has_any ((PopulationData | where Population > 5000000 | project State))
| summarize count() by State
Output
| State | count_ |
|---|---|
| TEXAS | 4701 |
| ILLINOIS | 2022 |
| MISSOURI | 2016 |
| GEORGIA | 1983 |
| MINNESOTA | 1881 |
| … | … |
The same query can also be written with a let statement. Notice that the double parentheses as provided in the last example aren’t necessary in this case.
let large_states = PopulationData | where Population > 5000000 | project State;
StormEvents
| where State has_any (large_states)
| summarize count() by State
Output
| State | count_ |
|---|---|
| TEXAS | 4701 |
| ILLINOIS | 2022 |
| MISSOURI | 2016 |
| GEORGIA | 1983 |
| MINNESOTA | 1881 |
| … | … |
|…|…|
17 - The case-insensitive hasprefix string operator
Filters a record set for data with a case-insensitive starting string.
For best performance, use strings of three characters or more. hasprefix searches for indexed terms, where a term is three or more characters. If your term is fewer than three characters, the query scans the values in the column, which is slower than looking up the term in the term index.
Performance tips
When possible, use the case-sensitive hasprefix_cs.
Syntax
T | where Column hasprefix (Expression)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input whose records are to be filtered. |
| Column | string | ✔️ | The column used to filter. |
| Expression | string | ✔️ | The expression for which to search. |
Returns
Rows in T for which the predicate is true.
Example
StormEvents
| summarize event_count=count() by State
| where State hasprefix "la"
| project State, event_count
| State | event_count |
|---|---|
| LAKE MICHIGAN | 182 |
| LAKE HURON | 63 |
| LAKE SUPERIOR | 34 |
| LAKE ST CLAIR | 32 |
| LAKE ERIE | 27 |
| LAKE ONTARIO | 8 |
18 - The case-insensitive hassuffix string operator
Filters a record set for data with a case-insensitive ending string. hassuffix returns true if there is a term inside the filtered string column ending with the specified string expression.
Performance tips
When possible, use the case-sensitive hassuffix_cs.
Syntax
T | where Column hassuffix (Expression)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | The tabular input whose records are to be filtered. | |
| Column | string | The column by which to filter. | |
| Expression | scalar | The scalar or literal expression for which to search. |
Returns
Rows in T for which the predicate is true.
Example
StormEvents
| summarize event_count=count() by State
| where State hassuffix "o"
| project State, event_count
Output
| State | event_count |
|---|---|
| COLORADO | 1654 |
| OHIO | 1233 |
| GULF OF MEXICO | 577 |
| NEW MEXICO | 527 |
| IDAHO | 247 |
| PUERTO RICO | 192 |
| LAKE ONTARIO | 8 |
19 - The case-insensitive in~ string operator
Filters a record set for data with a case-insensitive string.
Performance tips
When possible, use the case-sensitive in.
Syntax
T | where col in~ (expression, … )
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input to filter. |
| col | string | ✔️ | The column by which to filter. |
| expression | scalar or tabular | ✔️ | An expression that specifies the values for which to search. Each expression can be a scalar value or a tabular expression that produces a set of values. If a tabular expression has multiple columns, the first column is used. The search will consider up to 1,000,000 distinct values. |
Returns
Rows in T for which the predicate is true.
Examples
List of scalars
The following query shows how to use in~ with a comma-separated list of scalar values.
StormEvents
| where State in~ ("FLORIDA", "georgia", "NEW YORK")
| count
Output
| Count |
|---|
| 4775 |
Dynamic array
The following query shows how to use in~ with a dynamic array.
StormEvents
| where State in~ (dynamic(["FLORIDA", "georgia", "NEW YORK"]))
| count
Output
| Count |
|---|
| 4775 |
The same query can also be written with a let statement.
let states = dynamic(["FLORIDA", "georgia", "NEW YORK"]);
StormEvents
| where State has_any (states)
| summarize count() by State
Output
| Count |
|---|
| 4775 |
Tabular expression
The following query shows how to use in~ with an inline tabular expression. Notice that an inline tabular expression must be enclosed with double parentheses.
StormEvents
| where State in~ (PopulationData | where Population > 5000000 | project State)
| summarize count() by State
Output
| State | count_ |
|---|---|
| TEXAS | 4701 |
| ILLINOIS | 2022 |
| MISSOURI | 2016 |
| GEORGIA | 1983 |
| MINNESOTA | 1881 |
| … | … |
The same query can also be written with a let statement. Notice that the double parentheses as provided in the last example aren’t necessary in this case.
let large_states = PopulationData | where Population > 5000000 | project State;
StormEvents
| where State in~ (large_states)
| summarize count() by State
Output
| State | count_ |
|---|---|
| TEXAS | 4701 |
| ILLINOIS | 2022 |
| MISSOURI | 2016 |
| GEORGIA | 1983 |
| MINNESOTA | 1881 |
| … | … |
20 - The case-insensitive startswith string operator
Filters a record set for data with a case-insensitive string starting sequence.
Performance tips
When possible, use the case-sensitive startswith_cs.
Syntax
T | where col startswith (expression)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input to filter. |
| col | string | ✔️ | The column used to filter. |
| expression | string | ✔️ | The expression by which to filter. |
Returns
Rows in T for which the predicate is true.
Example
StormEvents
| summarize event_count=count() by State
| where State startswith "Lo"
| where event_count > 10
| project State, event_count
Output
| State | event_count |
|---|---|
| LOUISIANA | 463 |
21 - The case-sensitive != (not equals) string operator
Filters a record set for data that doesn’t match a case-sensitive string.
The following table provides a comparison of the == (equals) operators:
| Operator | Description | Case-Sensitive | Example (yields true) |
|---|---|---|---|
== | Equals | Yes | "aBc" == "aBc" |
!= | Not equals | Yes | "abc" != "ABC" |
=~ | Equals | No | "abc" =~ "ABC" |
!~ | Not equals | No | "aBc" !~ "xyz" |
For more information about other operators and to determine which operator is most appropriate for your query, see datatype string operators.
Performance tips
Syntax
T | where column != (expression)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input whose records are to be filtered. |
| column | string | ✔️ | The column by which to filter. |
| expression | scalar | ✔️ | The scalar or literal expression for which to search. |
Returns
Rows in T for which the predicate is true.
Example
StormEvents
| summarize event_count=count() by State
| where (State != "FLORIDA") and (event_count > 4000)
| project State, event_count
Output
| State | event_count |
|---|---|
| TEXAS | 4,701 |
22 - The case-sensitive !contains_cs string operator
Filters a record set for data that doesn’t include a case-sensitive string. !contains_cs searches for characters rather than terms of three or more characters. The query scans the values in the column, which is slower than looking up a term in a term index.
Performance tips
If you’re looking for a term, use !has_cs for faster results.
Syntax
Case-sensitive syntax
T | where Column !contains_cs (Expression)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input whose records are to be filtered. |
| Column | string | ✔️ | The column by which to filter. |
| Expression | scalar | ✔️ | The scalar or literal expression for which to search. |
Returns
Rows in T for which the predicate is true.
Examples
StormEvents
| summarize event_count=count() by State
| where State !contains_cs "AS"
| count
Output
| Count |
|---|
| 59 |
StormEvents
| summarize event_count=count() by State
| where State !contains_cs "TEX"
| where event_count > 3000
| project State, event_count
Output
| State | event_count |
|---|---|
| KANSAS | 3,166 |
23 - The case-sensitive !endswith_cs string operator
Filters a record set for data that doesn’t contain a case-insensitive ending string.
Performance tips
Syntax
T | where col !endswith_cs (expression)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input whose records are to be filtered. |
| col | string | ✔️ | The column to filter. |
| expression | string | ✔️ | The expression used to filter. |
Returns
Rows in T for which the predicate is true.
Example
StormEvents
| summarize Events=count() by State
| where State !endswith_cs "A"
The following table only shows the first 10 results. To see the full output, run the query.
| State | Events |
|---|---|
| TEXAS | 4701 |
| KANSAS | 3166 |
| ILLINOIS | 2022 |
| MISSOURI | 2016 |
| WISCONSIN | 1850 |
| NEW YORK | 1750 |
| COLORADO | 1654 |
| MICHIGAN | 1637 |
| KENTUCKY | 1391 |
| OHIO | 1233 |
24 - The case-sensitive !has_cs string operator
Filters a record set for data that doesn’t have a matching case-sensitive string. !has_cs searches for indexed terms, where an indexed term is three or more characters. If your term is fewer than three characters, the query scans the values in the column, which is slower than looking up the term in the term index.
Performance tips
Syntax
T | where column !has_cs (expression)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input whose records are to be filtered. |
| column | string | ✔️ | The column by which to filter. |
| expression | scalar | ✔️ | The scalar or literal expression for which to search. |
Returns
Rows in T for which the predicate is true.
Example
StormEvents
| summarize event_count=count() by State
| where State !has_cs "new"
| count
Output
| Count |
|---|
| 67 |
25 - The case-sensitive !hasprefix_cs string operator
Filters a record set for data that doesn’t have a case-sensitive starting string. !hasprefix_cs searches for indexed terms, where an indexed term is three or more characters. If your term is fewer than three characters, the query scans the values in the column, which is slower than looking up the term in the term index.
| Operator | Description | Case-Sensitive | Example (yields true) |
|---|---|---|---|
hasprefix | RHS is a term prefix in LHS | No | "North America" hasprefix "ame" |
!hasprefix | RHS isn’t a term prefix in LHS | No | "North America" !hasprefix "mer" |
hasprefix_cs | RHS is a term prefix in LHS | Yes | "North America" hasprefix_cs "Ame" |
!hasprefix_cs | RHS isn’t a term prefix in LHS | Yes | "North America" !hasprefix_cs "CA" |
For more information about other operators and to determine which operator is most appropriate for your query, see datatype string operators.
Performance tips
Syntax
T | where column !hasprefix_cs (expression)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input whose records are to be filtered. |
| column | string | ✔️ | The column by which to filter. |
| expression | scalar | ✔️ | The scalar or literal expression for which to search. |
Returns
Rows in T for which the predicate is true.
Example
StormEvents
| summarize event_count=count() by State
| where State !hasprefix_cs "P"
| count
Output
| Count |
|---|
| 64 |
26 - The case-sensitive !hassuffix_cs string operator
Filters a record set for data that doesn’t have a case-sensitive ending string. !hassuffix_cs returns true if there is no term inside string column ending with the specified string expression.
Performance tips
Syntax
T | where column !hassuffix_cs (expression)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input whose records are to be filtered. |
| column | string | ✔️ | The column by which to filter. |
| expression | scalar | ✔️ | The scalar or literal expression for which to search. |
Returns
Rows in T for which the predicate is true.
Example
StormEvents
| summarize event_count=count() by State
| where State !hassuffix_cs "AS"
| where event_count > 2000
| project State, event_count
Output
| State | event_count |
|---|---|
| IOWA | 2337 |
| ILLINOIS | 2022 |
| MISSOURI | 2016 |
27 - The case-sensitive !in string operator
Filters a record set for data without a case-sensitive string.
Performance tips
Syntax
T | where col !in (expression, … )
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input to filter. |
| col | string | ✔️ | The column by which to filter. |
| expression | scalar or tabular | ✔️ | An expression that specifies the values for which to search. Each expression can be a scalar value or a tabular expression that produces a set of values. If a tabular expression has multiple columns, the first column is used. The search will consider up to 1,000,000 distinct values. |
Returns
Rows in T for which the predicate is true.
Example
List of scalars
The following query shows how to use !in with a comma-separated list of scalar values.
StormEvents
| where State !in ("FLORIDA", "GEORGIA", "NEW YORK")
| count
Output
| Count |
|---|
| 54291 |
Dynamic array
The following query shows how to use !in with a dynamic array.
StormEvents
| where State !in (dynamic(["FLORIDA", "GEORGIA", "NEW YORK"]))
| count
Output
| Count |
|---|
| 54291 |
The same query can also be written with a let statement.
let states = dynamic(["FLORIDA", "GEORGIA", "NEW YORK"]);
StormEvents
| where State !in (states)
| summarize count() by State
Output
| Count |
|---|
| 54291 |
Tabular expression
The following query shows how to use !in with an inline tabular expression. Notice that an inline tabular expression must be enclosed with double parentheses.
StormEvents
| where State !in (PopulationData | where Population > 5000000 | project State)
| summarize count() by State
Output
| State | Count |
|---|---|
| KANSAS | 3166 |
| IOWA | 2337 |
| NEBRASKA | 1766 |
| OKLAHOMA | 1716 |
| SOUTH DAKOTA | 1567 |
| … | … |
The same query can also be written with a let statement. Notice that the double parentheses as provided in the last example aren’t necessary in this case.
let large_states = PopulationData | where Population > 5000000 | project State;
StormEvents
| where State !in (large_states)
| summarize count() by State
Output
| State | Count |
|---|---|
| KANSAS | 3166 |
| IOWA | 2337 |
| NEBRASKA | 1766 |
| OKLAHOMA | 1716 |
| SOUTH DAKOTA | 1567 |
| … | … |
28 - The case-sensitive !startswith_cs string operator
Filters a record set for data that doesn’t start with a case-sensitive search string.
Performance tips
Syntax
T | where column !startswith_cs (expression)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input whose records are to be filtered. |
| column | string | ✔️ | The column by which to filter. |
| expression | scalar | ✔️ | The scalar or literal expression for which to search. |
Returns
Rows in T for which the predicate is true.
Example
StormEvents
| summarize event_count=count() by State
| where State !startswith_cs "I"
| where event_count > 2000
| project State, event_count
Output
| State | event_count |
|---|---|
| TEXAS | 4701 |
| KANSAS | 3166 |
| MISSOURI | 2016 |
29 - The case-sensitive == (equals) string operator
Filters a record set for data matching a case-sensitive string.
The following table provides a comparison of the == operators:
| Operator | Description | Case-Sensitive | Example (yields true) |
|---|---|---|---|
== | Equals | Yes | "aBc" == "aBc" |
!= | Not equals | Yes | "abc" != "ABC" |
=~ | Equals | No | "abc" =~ "ABC" |
!~ | Not equals | No | "aBc" !~ "xyz" |
For more information about other operators and to determine which operator is most appropriate for your query, see datatype string operators.
Performance tips
Syntax
T | where col == (expression, … )
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input whose records are to be filtered. |
| col | string | ✔️ | The column to filter. |
| expression | string | ✔️ | The expression used to filter. |
Returns
Rows in T for which the predicate is true.
Example
StormEvents
| where State == "kansas"
| count
| Count |
|---|
| 0 |
StormEvents
| where State == "KANSAS"
| count
| Count |
|---|
| 3,166 |
30 - The case-sensitive contains_cs string operator
Filters a record set for data containing a case-sensitive string. contains_cs searches for arbitrary sub-strings rather than terms.
Performance tips
If you’re looking for a term, use has_cs for faster results.
Syntax
T | where col contains_cs (string)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input whose records are to be filtered. |
| col | string | ✔️ | The name of the column to check for string. |
| string | string | ✔️ | The case-sensitive string by which to filter the data. |
Returns
Rows in T for which string is in col.
Example
StormEvents
| summarize event_count=count() by State
| where State contains_cs "AS"
Output
| Count |
|---|
| 8 |
31 - The case-sensitive endswith_cs string operator
Filters a record set for data with a case-sensitive ending string.
Performance tips
Syntax
T | where col endswith_cs (expression)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input whose records are to be filtered. |
| col | string | ✔️ | The column to filter. |
| expression | string | ✔️ | The expression used to filter. |
Returns
Rows in T for which the predicate is true.
Example
StormEvents
| summarize Events = count() by State
| where State endswith_cs "NA"
Output
| State | Events |
|---|---|
| NORTH CAROLINA | 1721 |
| MONTANA | 1230 |
| INDIANA | 1164 |
| SOUTH CAROLINA | 915 |
| LOUISIANA | 463 |
| ARIZONA | 340 |
32 - The case-sensitive has_cs string operator
Filters a record set for data with a case-sensitive search string. has_cs searches for indexed terms, where an indexed term is three or more characters. If your term is fewer than three characters, the query scans the values in the column, which is slower than looking up the term in the term index.
Performance tips
Syntax
T | where Column has_cs (Expression)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input whose records are to be filtered. |
| Column | string | ✔️ | The column used to filter the records. |
| Expression | scalar or tabular | ✔️ | An expression for which to search. If the value is a tabular expression and has multiple columns, the first column is used. |
Returns
Rows in T for which the predicate is true.
Example
StormEvents
| summarize event_count=count() by State
| where State has_cs "FLORIDA"
Output
| State | event_count |
|---|---|
| FLORIDA | 1042 |
Since all State values are capitalized, searching for a lowercase string with the same value, such as “florida”, won’t yield any results.
StormEvents
| summarize event_count=count() by State
| where State has_cs "florida"
Output
| State | event_count |
|---|---|
33 - The case-sensitive hasprefix_cs string operator
Filters a record set for data with a case-sensitive starting string.
For best performance, use strings of three characters or more. hasprefix_cs searches for indexed terms, where a term is three or more characters. If your term is fewer than three characters, the query scans the values in the column, which is slower than looking up the term in the term index.
Performance tips
Syntax
T | where Column hasprefix_cs (Expression)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input whose records are to be filtered. |
| Column | string | ✔️ | The column used to filter. |
| Expression | string | ✔️ | The expression for which to search. |
Returns
Rows in T for which the predicate is true.
Examples
StormEvents
| summarize event_count=count() by State
| where State hasprefix_cs "P"
| count
| Count |
|---|
| 3 |
StormEvents
| summarize event_count=count() by State
| where State hasprefix_cs "P"
| project State, event_count
| State | event_count |
|---|---|
| PENNSYLVANIA | 1687 |
| PUERTO RICO | 192 |
| E PACIFIC | 10 |
34 - The case-sensitive hassuffix_cs string operator
Filters a record set for data with a case-insensitive ending string. hassuffix_cs returns true if there is a term inside the filtered string column ending with the specified string expression.
Performance tips
Syntax
T | where column hassuffix_cs ( expression )
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input whose records are to be filtered. |
| column | string | ✔️ | The column by which to filter. |
| expression | scalar | ✔️ | The scalar or literal expression for which to search. |
Returns
Rows in T for which the predicate is true.
Examples
StormEvents
| summarize event_count=count() by State
| where State hassuffix_cs "AS"
| where event_count > 2000
| project State, event_count
Output
| State | event_count |
|---|---|
| TEXAS | 4701 |
| KANSAS | 3166 |
35 - The case-sensitive in string operator
Filters a record set for data with a case-sensitive string.
Performance tips
Syntax
T | where col in (expression, … )
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input to filter. |
| col | string | ✔️ | The column by which to filter. |
| expression | scalar or tabular | ✔️ | An expression that specifies the values for which to search. Each expression can be a scalar value or a tabular expression that produces a set of values. If a tabular expression has multiple columns, the first column is used. The search considers up to 1,000,000 distinct values. |
Returns
Rows in T for which the predicate is true.
Examples
List of scalars
The following query shows how to use in with a list of scalar values.
StormEvents
| where State in ("FLORIDA", "GEORGIA", "NEW YORK")
| count
Output
| Count |
|---|
| 4775 |
Dynamic array
The following query shows how to use in with a dynamic array.
let states = dynamic(['FLORIDA', 'ATLANTIC SOUTH', 'GEORGIA']);
StormEvents
| where State in (states)
| count
Output
| Count |
|---|
| 3218 |
Tabular expression
The following query shows how to use in with a tabular expression.
let Top_5_States =
StormEvents
| summarize count() by State
| top 5 by count_;
StormEvents
| where State in (Top_5_States)
| count
The same query can be written with an inline tabular expression statement.
StormEvents
| where State in (
StormEvents
| summarize count() by State
| top 5 by count_
)
| count
Output
| Count |
|---|
| 14242 |
Top with other example
The following example identifies the top five states with lightning events and uses the iff() function and in operator to classify lightning events by the top five states, labeled by state name, and all others labeled as “Other.”
let Lightning_By_State = materialize(StormEvents
| summarize lightning_events = countif(EventType == 'Lightning') by State);
let Top_5_States = Lightning_By_State | top 5 by lightning_events | project State;
Lightning_By_State
| extend State = iff(State in (Top_5_States), State, "Other")
| summarize sum(lightning_events) by State
Output
| State | sum_lightning_events |
|---|---|
| ALABAMA | 29 |
| WISCONSIN | 31 |
| TEXAS | 55 |
| FLORIDA | 85 |
| GEORGIA | 106 |
| Other | 415 |
Use a static list returned by a function
The following example counts events from the StormEvents table based on a predefined list of interesting states. The interesting states are defined by the InterestingStates() function.
StormEvents
| where State in (InterestingStates())
| count
Output
| Count |
|---|
| 4775 |
The following query displays which states are considered interesting by the InterestingStates() function.
.show function InterestingStates
Output
| Name | Parameters | Body | Folder | DocString |
|---|---|---|---|---|
| InterestingStates | () | { dynamic([“WASHINGTON”, “FLORIDA”, “GEORGIA”, “NEW YORK”]) } |
Related content
36 - The case-sensitive startswith string operator
Filters a record set for data with a case-sensitive string starting sequence.
Performance tips
Syntax
T | where col startswith_cs (expression)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| T | string | ✔️ | The tabular input to filter. |
| col | string | ✔️ | The column used to filter. |
| expression | string | ✔️ | The expression by which to filter. |
Returns
Rows in T for which the predicate is true.
Example
StormEvents
| summarize event_count=count() by State
| where State startswith_cs "I"
| where event_count > 2000
| project State, event_count
Output
| State | event_count |
|---|---|
| IOWA | 2337 |
| ILLINOIS | 2022 |