Contribute in GitHub:
Edit online
!has operator
Filters a record set for data that does not have a matching case-insensitive string. has searches for indexed terms, where a term is three or more characters. If your term
is fewer than three characters, the query scans the values in the column, which is slower than looking up the term in the term index.
The following table provides a comparison of the has operators:
| Operator | Description | Case-Sensitive | Example (yields true) |
|---|---|---|---|
has |
Right-hand-side (RHS) is a whole term in left-hand-side (LHS) | No | "Login Failed" has "failed" |
!has |
RHS isn't a full term in LHS | No | "Login Failed" !has "fail" |
has_cs |
RHS is a whole term in LHS | Yes | "Login Failed" has_cs "Failed" |
!has_cs |
RHS isn't a full term in LHS | Yes | "Login Failed" !has_cs "fail" |
The following abbreviations are used in the table above:
- RHS = right hand side of the expression.
- LHS = left hand side of the expression.
For further information about other operators and to determine which operator is most appropriate for your query, see datatype string operators.
Case-insensitive operators are currently supported only for ASCII-text. For non-ASCII comparison, use the tolower() function.
Performance tips
Performance depends on the type of search and the structure of the data.
For faster results, use the case-sensitive version of an operator, for example, has_cs, not has.
If you're testing for the presence of a symbol or alphanumeric word that is bound by non-alphanumeric characters at the start or end of a field, for faster results use has or in.
Syntax
T | where Column !has (Expression)
Arguments
- T - The tabular input whose records are to be filtered.
- Column - The column to filter.
- Expression - Scalar or literal expression.
Returns
Rows in T for which the predicate is true.
Example
events
| project original_time, data_source_name, name
//--- Search for the last 5 mins of data and events don't contain login
| where original_time > now(-5m) and name !has "login"
| take 2
Results
| original_time | data_source_name | name |
|---|---|---|
| 2023-04-09T21:31:24.620Z | microsoftWindowsSource2 | Beginning the backup |
| 2023-04-09T21:31:24.620Z | microsoftWindowsSource6 | Ending the backup |