GitHubContribute in GitHub: Edit online

!contains operator

Filters a record set for data that does not include a case-sensitive string. contains searches for characters rather than terms of three or more characters. The query scans the values in the column, which is slower than looking up a term in a term index.

The following table provides a comparison of the contains operators:

Operator Description Case-Sensitive Example (yields true)
contains RHS occurs as a subsequence of LHS No "Success Audit" contains "audit"
!contains RHS doesn't occur in LHS No "Success Audit" !contains "auditing"
contains_cs RHS occurs as a subsequence of LHS Yes "Success Audit" contains_cs "Audit"
!contains_cs RHS doesn't occur in LHS Yes "Success Audit !contains_cs "auD"

The following abbreviations are used in the table above:

  • RHS = right hand side of the expression
  • LHS = left hand side of the expression

For further information about other operators and to determine which operator is most appropriate for your query, see datatype string operators.

Case-insensitive operators are currently supported only for ASCII-text. For non-ASCII comparison, use the tolower() function.

Performance tips

Performance depends on the type of search and the structure of the data.

For faster results, use the case-sensitive version of an operator, for example, contains_cs, not contains.

If you're testing for the presence of a symbol or alphanumeric word that is bound by non-alphanumeric characters at the start or end of a field, for faster results use has or in. Also, has works faster than contains, startswith, or endswith, however it is not as precise and could provide unwanted records.


Case insensitive syntax

T | where Column !contains (Expression)


  • T - The tabular input whose records are to be filtered.
  • Column - The column to filter.
  • Expression - Scalar or literal expression.


Rows in T for which the predicate is true.


    | project original_time, data_source_name, name
    //--- Search for the last 5 mins of data    
    | where original_time > now(-5m)
    // Look for events with unsuccessful audit
    | where name !contains "success" 
    | take 2


original_time data_source_name name
2023-04-13T13:59:29.732Z microsoftWindowsSource2 Failure Audit: An account failed to log on
22023-04-13T13:59:30.900Z microsoftWindowsSource2 Failure Audit: An account failed to log on