Contribute in GitHub:
Edit online
has_any operator
Filters a record set for data with any of a set of case-insensitive strings. has searches for indexed terms, where a term is three or more characters. If your term is fewer
than three characters, the query scans the values in the column, which is slower than looking up the term in the term index.
For more information about other operators and to determine which operator is most appropriate for your query, see datatype string operators.
Performance tips
Performance depends on the type of search and the structure of the data.
For faster results, use the case-sensitive version of an operator, for example, has_cs, not has.
Syntax
T | where Column has_any (list of scalar expressions)
T | where Column has_any (tabular expression)
Arguments
- T - Tabular input whose records are to be filtered.
- Column - Column to filter.
- list of expressions - Comma separated list of scalar or literal expressions
- tabular expression - Tabular expression that has a set of values (if expression has multiple columns, the first column is used). Currently not supported.
Returns
Rows in T for which the predicate is true
Notes
- The expression list can produce up to
10,000values. - For tabular expressions, the first column of the result set is selected.
Examples
Use has_any operator with a list
events
| project original_time, data_source_name, name
//--- Search for the last 5 mins of data and events that contain any string in the list
| where original_time > now(-25m) and name has_any ("login", "failed")
| take 15
Results
| original_time | data_source_name | name |
|---|---|---|
| 2023-04-08T21:31:24.620Z | microsoftWindowsSource2 | MSSQL Login failed for user |
| 2023-04-08T21:31:24.620Z | microsoftWindowsSource6 | MSSQL Login succeeded for user |