You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: apl/tabular-operators/where-operator.mdx
+8-6
Original file line number
Diff line number
Diff line change
@@ -135,6 +135,8 @@ This query helps filter logs to investigate activity originating from a specific
135
135
136
136
The `* has` pattern in APL is a dynamic and powerful tool within the `where` operator. It offers you the flexibility to search for specific substrings across all fields in a dataset without the need to specify each field name individually. This becomes especially advantageous when dealing with datasets that have numerous or dynamically named fields.
137
137
138
+
`where * has` is an expensive operation because it searches all fields. For a more efficient query, explicitly list the fields in which you want to search. For example: `where firstName has "miguel" or lastName has "miguel"`.
139
+
138
140
### Basic where * has usage
139
141
140
142
Find events where any field contains a specific substring.
@@ -186,26 +188,26 @@ Find the average of a specific field for events where any field contains a certa
186
188
187
189
```kusto
188
190
['sample-http-logs']
189
-
| where * has "japan"
191
+
| where * has "Japan"
190
192
| summarize avg(req_duration_ms)
191
193
```
192
194
193
-
[Run in Playground](https://play.axiom.co/axiom-play-qf1k/explorer?initForm=%7B%22apl%22%3A%22%5B%27sample-http-logs%27%5D%5Cn%7C%20where%20%2A%20has%20%5C%22japan%5C%22%5Cn%7C%20summarize%20avg%28req_duration_ms%29%22%7D&queryOptions=%7B%22quickRange%22%3A%2230d%22%7D)
195
+
[Run in Playground](https://play.axiom.co/axiom-play-qf1k/explorer?initForm=%7B%22apl%22%3A%22%5B%27sample-http-logs%27%5D%5Cn%7C%20where%20%2A%20has%20%5C%22Japan%5C%22%5Cn%7C%20summarize%20avg%28req_duration_ms%29%22%7D&queryOptions=%7B%22quickRange%22%3A%2230d%22%7D)
194
196
195
197
### String case transformation
196
198
197
-
If you’re unsure about the case of the substring in the dataset, convert everything to lowercase for comparison.
199
+
The `has` operator is case insensitive. Use `has` if you’re unsure about the case of the substring in the dataset. For the case-sensitive operator, use `has_cs`.
198
200
199
201
```kusto
200
202
['sample-http-logs']
201
-
| where * has "japan"
203
+
| where * has "mexico"
202
204
| summarize avg(req_duration_ms)
203
205
```
204
206
205
-
[Run in Playground](https://play.axiom.co/axiom-play-qf1k/explorer?initForm=%7B%22apl%22%3A%22%5B%27sample-http-logs%27%5D%5Cn%7C%20where%20%2A%20has%20%5C%22japan%5C%22%5Cn%7C%20summarize%20avg%28req_duration_ms%29%22%7D&queryOptions=%7B%22quickRange%22%3A%2230d%22%7D)
207
+
[Run in Playground](https://play.axiom.co/axiom-play-qf1k/explorer?initForm=%7B%22apl%22%3A%22%5B%27sample-http-logs%27%5D%5Cn%7C%20where%20%2A%20has%20%5C%22mexico%5C%22%5Cn%7C%20summarize%20avg%28req_duration_ms%29%22%7D&queryOptions=%7B%22quickRange%22%3A%2230d%22%7D)
206
208
207
209
## List of related operators
208
210
209
211
-[**count**](/apl/tabular-operators/count-operator): Use `count` to return the number of records that match specific criteria.
210
212
-[**distinct**](/apl/tabular-operators/distinct-operator): Use `distinct` to return unique values in a dataset, complementing filtering.
211
-
-[**take**](/apl/tabular-operators/take-operator): Use `take` to return a specific number of records, typically in combination with `where` for pagination.
213
+
-[**take**](/apl/tabular-operators/take-operator): Use `take` to return a specific number of records, typically in combination with `where` for pagination.
0 commit comments