stackoom
  简体   繁体   中英

In KQL is there an 'strcat_if' function?

 原文  2021-10-28 10:56:19       azure/ kql/ strcat/ sentinel

Question

I have been working with Defender ATP, and have parsed multiple columns but due to email security I have had to parse seperated columns in the format 'potentialPhishURL' and 'potentialPhishURL_vendor', in doing so I now have two columns, where usually when the vendor has applied a shim to the URL, the standard parse fails, and so with strcat("potentialPhishURL", "potentialPhishURL_vendor") does not work as sometimes both fields are populated.

When both of these columns are populated (potentialPhishURL and potentialPhishURL_vendor) they obviously merge disgustingly and not how I need it (unique values or strcat_if empty) I guess.

Does anyone have any experience with how this is done? Merging a couple of columns in KQL when one of the columns is empty on the same row?

Thanks for reading/ helping if you can!

CB

1 answers

solution1
 0 ACCPTED  2021-10-28 12:08:48

您应该使用iff()函数,例如:

iff(isempty(col2), col1, strcat(col1, col2))

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question KQL - How do I exclude a function that returns no logs in Sentinel? KQL - logical processing of an KQL query How do I reference an XML attribute which begins with an @ symbol using KQL extractjson function? KQL Load Balancer Bytes KQL result request to variable KQL conditional sub query Kusto KQL equivalent to with clause Parse Json Array in KQL Device info using KQL KQL datetime formatting
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM