Kusto Query Language: Get keyword that was matched (has_any)
Question
I am feeding a csv file in my KQL as an external data source. I run a query to match a column:
Events | where Title has_any (ColumnName) | project Title, EventId
Now, I want to join the output with the column value that was matched. Like if column has values: "test","test2","test3" and "test2" was matched in the above query, result table should be something like:
Title,EventId,MatchedColumnValue
Please help
1 answers
solution1
2 2021-08-25 07:00:54
Here is how to do it using the has_any_index() function:
let Values = dynamic(["title1", "title2", "title3"]);
let Events = datatable(EventId:int, Title:string)[1,"this is title2, and its boring", 2, "title3 is great", 3, "Nothing to find"];
Events
| extend Idx = has_any_index(Title, Values)
| extend MatchedTitle = iif(Idx<0, "", tostring(Values[Idx]))
| project-away Idx
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
Kusto Query Language: Sum a column
Paging on ADX table. how to skip the records in kusto query language
Need to achieve the below output using Kusto Query language(KQl)
Kusto Query Language - Round datetime to nearest month using bin
Kusto Query Language: semantic error on user-defined functions
Is there a way to define a dictionary in kusto query and get both key and value
Kusto Query Pipeline Query
How better I can optimize this Kusto Query to get my logs
Use Dictionary returned by Kusto Query
Kusto query help for Condition filter
Related Tags