Contribute in GitHub:
Edit online
match regex operator
Filters a record set based on a case-sensitive regex value.
Syntax
T | where col matches regex (expression)
Arguments
- T - The tabular input whose records are to be filtered.
- col - The column to filter.
- expression - Scalar or literal expression.
Returns
Rows in T for which the predicate is true.
Example
This example demonstrates a query applying a regular expression on the payload searching for the term QRadar.
events
| project payload, name, original_time
| where original_time > ago(24h)
| where payload matches regex "QRadar"
| summarize EventCount=count() by EventName=name
Results
| EventName | EventCount |
|---|---|
| Trojan/Win32.autoit.cbx(89652587) | 3183766 |
| Fault Bucket | 102822 |
| RFC2397 Data URL Scheme Usage Detection | 34131 |
| Initialization status for service objects. | 322 |