Filters a record set for data that does not include a case-sensitive string.
contains searches for characters rather than terms of three or more characters. The query scans
the values in the column, which is slower than looking up a term in a term index.
The following table provides a comparison of the
||RHS occurs as a subsequence of LHS||No||
||RHS doesn't occur in LHS||No||
||RHS occurs as a subsequence of LHS||Yes||
||RHS doesn't occur in LHS||Yes||
The following abbreviations are used in the table above:
- RHS = right hand side of the expression
- LHS = left hand side of the expression
For further information about other operators and to determine which operator is most appropriate for your query, see datatype string operators.
Case-insensitive operators are currently supported only for ASCII-text. For non-ASCII comparison, use the tolower() function.
Performance depends on the type of search and the structure of the data.
For faster results, use the case-sensitive version of an operator, for example,
If you're testing for the presence of a symbol or alphanumeric word that is bound by non-alphanumeric characters at the start or end of a field, for faster results use
has works faster
endswith, however it is not as precise and could provide unwanted records.
Case insensitive syntax
- T - The tabular input whose records are to be filtered.
- Column - The column to filter.
- Expression - Scalar or literal expression.
Rows in T for which the predicate is
events | project original_time, data_source_name, name //--- Search for the last 5 mins of data | where original_time > now(-5m) // Look for events with unsuccessful audit | where name !contains "success" | take 2
|2023-04-13T13:59:29.732Z||microsoftWindowsSource2||Failure Audit: An account failed to log on|
|22023-04-13T13:59:30.900Z||microsoftWindowsSource2||Failure Audit: An account failed to log on|