GitHubContribute in GitHub: Edit online

contains operator

Filters a record set for data containing a case-insensitive string. contains searches for characters rather than terms of three or more characters. The query scans the values in the column, which is slower than looking up a term in a term index.

The following table provides a comparison of the contains operators:

Operator Description Case-Sensitive Example (yields true)
contains RHS occurs as a subsequence of LHS No "Success Audit" contains "audit"
!contains RHS doesn't occur in LHS No "Success Audit" !contains "auditing"
contains_cs RHS occurs as a subsequence of LHS Yes "Success Audit" contains_cs "Audit"
!contains_cs RHS doesn't occur in LHS Yes "Success Audit !contains_cs "auD"

The following abbreviations are used in the table above:

  • RHS = right hand side of the expression
  • LHS = left hand side of the expression

For further information about other operators and to determine which operator is most appropriate for your query, see datatype string operators.

Case-insensitive operators are currently supported only for ASCII-text. For non-ASCII comparison, use the tolower() function.

Performance tips

Performance depends on the type of search and the structure of the data.

For better performance, try the case-sensitive version of an operator, for example, contains_cs, not contains.

If you're testing for the presence of a symbol or alphanumeric word that is bound by non-alphanumeric characters at the start or end of a field, for better performance, try has or in. Also, has works faster than contains, startswith, or endswith, however it is not as precise and could provide unwanted records.


T | where col contains (expression)


  • T - The tabular input whose records are to be filtered.
  • col - The column to filter.
  • expression - Scalar or literal expression.


Rows in T for which the predicate is true.


    | project original_time, data_source_name, name, user_id
    //--- Search for the last 5 mins of data    
    | where original_time > now(-5m)
    // Look for events with sucessful audit
    | where name contains "success audit" 
    | take 2


original_time data_source_name name
2023-04-13T13:59:29.732Z microsoftWindowsSource2 Success Audit: The domain controller validated the credentials for an account
22023-04-13T13:59:30.900Z microsoftWindowsSource4 Success Audit: An account was successfully logged on