Contribute in GitHub:
Edit online
!endswith_cs operator
Filters a record set for data that does not contain a case-insensitive ending string.
The following table provides a comparison of the endswith operators:
| Operator | Description | Case-Sensitive | Example (yields true) |
|---|---|---|---|
endswith |
RHS is a closing subsequence of LHS | No | "microsoftWindowsSource5" endswith "CE5" |
!endswith |
RHS isn't a closing subsequence of LHS | No | "microsoftWindowsSource5" !endswith "micro" |
endswith_cs |
RHS is a closing subsequence of LHS | Yes | "microsoftWindowsSource5" endswith_cs "ce5" |
!endswith_cs |
RHS isn't a closing subsequence of LHS | Yes | "microsoftWindowsSource5" !endswith_cs "CE5" |
The following abbreviations are used in the table above:
- RHS = right hand side of the expression
- LHS = left hand side of the expression
For further information about other operators and to determine which operator is most appropriate for your query, see datatype string operators.
Performance tips
Performance depends on the type of search and the structure of the data.
For faster results, use the case-sensitive version of an operator, for example, endswith_cs, not endswith.
Syntax
T | where col !endswith_cs (expression)
Arguments
- T - The tabular input whose records are to be filtered.
- col - The column to filter.
- expression - Scalar or literal expression.
Returns
Rows in T for which the predicate is true.
Example
events
| project original_time, data_source_name, name
//--- Search for the last 5 mins of data
| where original_time > now(-15m)
//--- USER Criteria Here
| where data_source_name !endswith_cs "Ce4"
| take 2
Results
| original_time | data_source_name | name |
|---|---|---|
| 2023-04-11T12:27:01.489Z | microsoftWindowsSource4 | Failure Audit: Privileged Object Operation Failed |
| 2023-04-11T14:52:33.756Z | microsoftWindowsSource4 | Credential Manager Credentials Were Read |