Forum Widgets
Latest Discussions
Loop through array in KQL
Hi, I've been exploring parsing and noticed that when parsing xml you get dictionaries and arrays. You can't pass those in functions, but you can pass a var of type dynamic, but then to loop you have to make a table and join the table with the query that you ran. Does anybody have any idea of how to loop through an array, I couldn't find anything around this?
KQL query question: Filter out results where condition1, condition2, condition3 all evaluate true
Hi Sentinel friends, I've googled and read through many guides and can't find an easy way to perform a multi-variable exclusion statement. I need to be able to exclude a result if multiple variables ALL evaluate true. The pseudo logic I'm looking to apply is something like: Table | where Event == "12" (pseudo code) | except where (condition1 == x AND condition2 == y AND condition 3 == z) I tried things like: 1) | !where condition1 == "x" and condition2 == "y" and condition3 == "z" [this doesn't work] 2) | where !(condition1 == "x" and condition2 == "y" and condition3 == "z") [this doesn't work] 3) | where condition1 != "x" and !condition2 != "y" and condition3 == "z" [the logic here evaluates all conditions separately, instead I need it to only exclude only when all of the variables evaluate true for a specific log line] The only way I could figure out how to do this was to do 2 queries then do a left antijoin of the resulting datasets, but it's a big and messy query. I'm hoping that there's a simpler method that I'm missing. Ex: Table | where Event == "12" | join kind=leftanti ( Table |where Event == "12" | where condition1 == "x" and condition2 == "y" and condition3 == "z") on KEY Note: I did find materialize so at least I'm not querying the dataset twice.
