Contribute in GitHub:
Edit online
contains operator
Filters a record set for data containing a case-insensitive string. contains searches for characters rather than terms of three or more characters. The query scans the values
in the column, which is slower than looking up a term in a term index.
The following table provides a comparison of the contains operators:
| Operator | Description | Case-Sensitive | Example (yields true) |
|---|---|---|---|
contains |
RHS occurs as a subsequence of LHS | No | "Success Audit" contains "audit" |
!contains |
RHS doesn't occur in LHS | No | "Success Audit" !contains "auditing" |
contains_cs |
RHS occurs as a subsequence of LHS | Yes | "Success Audit" contains_cs "Audit" |
!contains_cs |
RHS doesn't occur in LHS | Yes | "Success Audit !contains_cs "auD" |
The following abbreviations are used in the table above:
- RHS = right hand side of the expression
- LHS = left hand side of the expression
For further information about other operators and to determine which operator is most appropriate for your query, see datatype string operators.
Case-insensitive operators are currently supported only for ASCII-text. For non-ASCII comparison, use the tolower() function.
Performance tips
Performance depends on the type of search and the structure of the data.
For better performance, try the case-sensitive version of an operator, for example, contains_cs, not contains.
If you're testing for the presence of a symbol or alphanumeric word that is bound by non-alphanumeric characters at the start or end of a field, for better performance, try has or in. Also, has works faster
than contains, startswith, or endswith, however it is not as precise and could provide unwanted records.
Syntax
T | where col contains (expression)
Arguments
- T - The tabular input whose records are to be filtered.
- col - The column to filter.
- expression - Scalar or literal expression.
Returns
Rows in T for which the predicate is true.
Example
events
| project original_time, data_source_name, name, user_id
//--- Search for the last 5 mins of data
| where original_time > now(-5m)
// Look for events with sucessful audit
| where name contains "success audit"
| take 2
Results
| original_time | data_source_name | name |
|---|---|---|
| 2023-04-13T13:59:29.732Z | microsoftWindowsSource2 | Success Audit: The domain controller validated the credentials for an account |
| 22023-04-13T13:59:30.900Z | microsoftWindowsSource4 | Success Audit: An account was successfully logged on |