Contribute in GitHub:

!hasprefix_cs operator

Filters a record set for data that does not have a case-sensitive starting string. has searches for indexed terms, where a term is three or more characters. If your term is fewer than three characters, the query scans the values in the column, which is slower than looking up the term in the term index.

Operator	Description	Case-Sensitive	Example (yields `true`)
`hasprefix`	RHS is a term prefix in LHS	No	`"microsoftWindowsSource1" hasprefix "MICRO"`
`!hasprefix`	RHS isn't a term prefix in LHS	No	`"microsoftWindowsSource1" !hasprefix "soft"`
`hasprefix_cs`	RHS is a term prefix in LHS	Yes	`"microsoftWindowsSource1" hasprefix_cs "micro"`
`!hasprefix_cs`	RHS isn't a term prefix in LHS	Yes	`"microsoftWindowsSource1" !hasprefix_cs "MICRO"`

The following abbreviations are used in the table above:

RHS = right hand side of the expression
LHS = left hand side of the expression

For further information about other operators and to determine which operator is most appropriate for your query, see datatype string operators.

Performance tips

Performance depends on the type of search and the structure of the data.

For faster results, use the case-sensitive version of an operator, for example, hasprefix_cs, not hasprefix.

Syntax

T | where Column !hasprefix_cs (Expression)

Arguments

T - The tabular input whose records are to be filtered.
Column - The column to filter.
Expression - Scalar or literal expression.

Returns

Rows in T for which the predicate is true.

Example

// !hassuffix_cs case sensitive
events
    | project original_time, data_source_name, name
    //--- Search for the last 5 mins of data    
    | where original_time > now(-5m)
    //--- USER Criteria Here
    | where data_source_name !hasprefix_cs "MICRO"
    | take 2

Results

original_time	data_source_name	name
2023-04-11T16:15:06.912Z	microsoftWindowsSource2	Instance ID Information
2023-04-11T16:15:06.912Z	microsoftWindowsSource6	Ticket Issued With Size Close to or Greater Than Threshold