Contribute in GitHub:
Edit online
!contains_cs operator
Filters a record set for data that does not include a case-sensitive string. contains searches for characters rather than terms of three or more characters. The query scans
the values in the column, which is slower than looking up a term in a term index.
The following table provides a comparison of the contains operators:
| Operator | Description | Case-Sensitive | Example (yields true) |
|---|---|---|---|
contains |
RHS occurs as a subsequence of LHS | No | "CiscoASA" contains "AsA" |
!contains |
RHS doesn't occur in LHS | No | "CiscoASA" !contains "abc" |
contains_cs |
RHS occurs as a subsequence of LHS | Yes | "CiscoASA" contains_cs "ASA" |
!contains_cs |
RHS doesn't occur in LHS | Yes | "CiscoASA" !contains_cs "Asa" |
The following abbreviations are used in the table above:
- RHS = right hand side of the expression
- LHS = left hand side of the expression
For further information about other operators and to determine which operator is most appropriate for your query, see datatype string operators.
Performance tips
Performance depends on the type of search and the structure of the data.
For faster results, use the case-sensitive version of an operator, for example, contains_cs, not contains.
If you're testing for the presence of a symbol or alphanumeric word that is bound by non-alphanumeric characters at the start or end of a field, for faster results use has or in. Also, has works faster
than contains, startswith, or endswith, however it is not as precise and could provide unwanted records.
Syntax
Case-sensitive syntax
T | where Column !contains_cs (Expression)
Arguments
- T - The tabular input whose records are to be filtered.
- Column - The column to filter.
- Expression - Scalar or literal expression.
Returns
Rows in T for which the predicate is true.
Example
events
| project original_time, data_source_name
| where original_time > ago(5m)
and data_source_name !contains_cs "ASA"
| summarize EventCount=count() by DataSourceName=data_source_name
| project DataSourceName, EventCount
| sort by EventCount
| take 10
Results
| DataSourceName | EventCount |
|---|---|
| CheckPointSource1 | 102394 |
| CheckPointSource2 | 101391 |
| paloAltoPASeriesSource2 | 82714 |
| paloAltoPASeriesSource7 | 81714 |
| microsoftWindowsSource2 | 75766 |