search operator

Learn how to use the search operator to search for a text pattern in multiple tables and columns.

Searches a text pattern in multiple tables and columns.

Syntax

[T |] search [kind= CaseSensitivity ] [in (TableSources)] SearchPredicate

Parameters

NameTypeRequiredDescription
TstringThe tabular data source to be searched over, such as a table name, a union operator, or the results of a tabular query. Can’t be specified together with TableSources.
CaseSensitivitystringA flag that controls the behavior of all string scalar operators, such as has, with respect to case sensitivity. Valid values are default, case_insensitive, case_sensitive. The options default and case_insensitive are synonymous, since the default behavior is case insensitive.
TableSourcesstringA comma-separated list of “wildcarded” table names to take part in the search. The list has the same syntax as the list of the union operator. Can’t be specified together with tabular data source (T).
SearchPredicatestring✔️A boolean expression to be evaluated for every record in the input. If it returns true, the record is outputted. See Search predicate syntax.

Search predicate syntax

The SearchPredicate allows you to search for specific terms in all columns of a table. The operator that is applied to a search term depends on the presence and placement of a wildcard asterisk (*) in the term, as shown in the following table.

LiteralOperator
billghas
*billghassuffix
billg*hasprefix
*billg*contains
bi*lgmatches regex

You can also restrict the search to a specific column, look for an exact match instead of a term match, or search by regular expression. The syntax for each of these cases is shown in the following table.

SyntaxExplanation
ColumnName:StringLiteralThis syntax can be used to restrict the search to a specific column. The default behavior is to search all columns.
ColumnName==StringLiteralThis syntax can be used to search for exact matches of a column against a string value. The default behavior is to look for a term-match.
Column matches regex StringLiteralThis syntax indicates regular expression matching, in which StringLiteral is the regex pattern.

Use boolean expressions to combine conditions and create more complex searches. For example, "error" and x==123 would result in a search for records that have the term error in any columns and the value 123 in the x column.

Search predicate syntax examples

#SyntaxMeaning (equivalent where)Comments
1search "err"where * has "err"
2search in (T1,T2,A*) "err"union T1,T2,A* | where * has “err”
3search col:"err"where col has "err"
4search col=="err"where col=="err"
5search "err*"where * hasprefix "err"
6search "*err"where * hassuffix "err"
7search "*err*"where * contains "err"
8search "Lab*PC"where * matches regex @"\bLab.*PC\b"
9search *where 0==0
10search col matches regex "..."where col matches regex "..."
11search kind=case_sensitiveAll string comparisons are case-sensitive
12search "abc" and ("def" or "hij")where * has "abc" and (* has "def" or * has hij")
13search "err" or (A>a and A<b)where * has "err" or (A>a and A<b)

Remarks

Unlike the find operator, the search operator doesn’t support the following syntax:

  1. withsource=: The output always includes a column called $table of type string whose value is the table name from which each record was retrieved (or some system-generated name if the source isn’t a table but a composite expression).
  2. project=, project-smart: The output schema is equivalent to project-smart output schema.

Examples

The example in this section shows how to use the syntax to help you get started.

Search for the term Green in all the tables of the ContosoSales database.

The output finds records with the term Green as a last name or a color in the Customers, Products, and SalesTable tables.

 search "Green"

Output

$tableCityNameContinentNameCustomerKeyEducationFirstNameGenderLastName
CustomersBallardNorth America16549Partial CollegeMasonMGreen
CustomersBellinghamNorth America2070High SchoolAdamMGreen
CustomersBellinghamNorth America10658BachelorsSaraFGreen
CustomersBeverly HillsNorth America806Graduate DegreeRichardMGreen
CustomersBeverly HillsNorth America7674Graduate DegreeJamesMGreen
CustomersBurbankNorth America5241Graduate DegreeMadelineFGreen

Search for records that contain the term Green and one of either terms Deluxe or Proseware in the ContosoSales database.

search "Green" and ("Deluxe" or "Proseware")

Output

$tableProductNameManufacturerColorNameClassNameProductCategoryName
ProductsContoso 8GB Clock & Radio MP3 Player X850 GreenContoso, LtdGreenDeluxeAudio
ProductsProseware Scan Jet Digital Flat Bed Scanner M300 GreenProseware, Inc.GreenRegularComputers
ProductsProseware All-In-One Photo Printer M200 GreenProseware, Inc.GreenRegularComputers
ProductsProseware Ink Jet Wireless All-In-One Printer M400 GreenProseware, Inc.GreenRegularComputers
ProductsProseware Ink Jet Instant PDF Sheet-Fed Scanner M300 GreenProseware, Inc.GreenRegularComputers
ProductsProseware Desk Jet All-in-One Printer, Scanner, Copier M350 GreenProseware, Inc.GreenRegularComputers
ProductsProseware Duplex Scanner M200 GreenProseware, Inc.GreenRegularComputers

Search a specific table

Search for the term Green only in the Customers table.

search in (Products) "Green"

Output

$tableProductNameManufacturerColorName
ProductsContoso 4G MP3 Player E400 GreenContoso, LtdGreen
ProductsContoso 8GB Super-Slim MP3/Video Player M800 GreenContoso, LtdGreen
ProductsContoso 16GB Mp5 Player M1600 GreenContoso, LtdGreen
ProductsContoso 8GB Clock & Radio MP3 Player X850 GreenContoso, LtdGreen
ProductsNT Wireless Bluetooth Stereo Headphones M402 GreenNorthwind TradersGreen
ProductsNT Wireless Transmitter and Bluetooth Headphones M150 GreenNorthwind TradersGreen

Search for records that match the case-sensitive term in the ContosoSales database.

search kind=case_sensitive "blue"

Output

$tableProductNameManufacturerColorNameClassName
ProductsContoso 16GB New Generation MP5 Player M1650 blueContoso, LtdblueRegular
ProductsContoso Bright Light battery E20 blueContoso, LtdblueEconomy
ProductsLitware 120mm Blue LED Case Fan E901 blueLitware, Inc.blueEconomy
NewSalesLitware 120mm Blue LED Case Fan E901 blueLitware, Inc.blueEconomy
NewSalesLitware 120mm Blue LED Case Fan E901 blueLitware, Inc.blueEconomy
NewSalesLitware 120mm Blue LED Case Fan E901 blueLitware, Inc.blueEconomy
NewSalesLitware 120mm Blue LED Case Fan E901 blueLitware, Inc.blueEconomy

Search specific columns

Search for the terms Aaron and Hughes, in the “FirstName” and “LastName” columns respectively, in the ContosoSales database.

search FirstName:"Aaron" or LastName:"Hughes"

Output

$tableCustomerKeyEducationFirstNameGenderLastName
Customers18285High SchoolRileyFHughes
Customers802Graduate DegreeAaronMSharma
Customers986BachelorsMelanieFHughes
Customers12669High SchoolJessicaFHughes
Customers13436Graduate DegreeMariahFHughes
Customers10152Graduate DegreeAaronMCampbell

Limit search by timestamp

Search for the term Hughes in the ContosoSales database, if the term appears in a record with a date greater than the given date in ‘datetime’.

search "Hughes" and DateKey > datetime('2009-01-01')

Output

$tableDateKeySalesAmount_real
SalesTable2021-12-13T00:00:00Z446.4715
SalesTable2021-12-13T00:00:00Z120.555
SalesTable2021-12-13T00:00:00Z48.4405
SalesTable2021-12-13T00:00:00Z39.6435
SalesTable2021-12-13T00:00:00Z56.9905

Performance Tips

#TipPreferOver
1Prefer to use a single search operator over several consecutive search operatorssearch "billg" and ("steveb" or "satyan")search “billg” | search “steveb” or “satyan”
2Prefer to filter inside the search operatorsearch "billg" and "steveb"search * | where * has “billg” and * has “steveb”