Searching and finding data

By Gianni Castaldi

Welcome to the fifth blog post in the series becoming a Kusto Knight. While the previous blog post was about time in Kusto, this blog post will be about searching and finding data.

The three most used operators are search, where and has.

search is the first operator we will learn about. In the beginning, I used an inefficient query. So let us start to discover the search operator.

search * | where * contains "kustoking"

A more efficient way would be:

search "*kustoking*"

which also runs:

search *
where * contains "kustoking"

but more efficiently. An even better way would be to run

search "kustoking"

because it runs the following query:

search *
where * has "kustoking"

As we have learned in an earlier blog post, the has operator is more efficient than the contains operator.

We can also use the search operator to do a hasprefix or hassuffix search:

search "gianni*"

and

search "*kustoking.com"

We can also state the tables the query should look in with the query:

search in (OfficeActivity, SigninLogs, AAD*) "kustoking"

which runs the following query:

union OfficeActivity, SigninLogs, AAD* 
| where * has "kustoking"

Since we are looking for at AD events, we can also look in all tables for a column that contain a certain value:

search UserPrincipalName:"kustoking"

which runs:

search *
where UserPrincipalName has "kustoking"

When we want to search all Office and Azure AD activity, from the user Gianni and from an Android Device, we can do that with the following search:

search in (OfficeActivity, SigninLogs, AAD*) "gianni" and "android"

which runs:

union OfficeActivity, SigninLogs, AAD* 
| where * has "kustoking" and * has "Android"

where and theĀ has operators are the operators to filter the results and to do some tests we will import some data:

let FruitShipments = externaldata(Fruit:string,Colour:string,Container:string,Customer:string,Region:string)
[
h@"https://raw.githubusercontent.com/KustoKing/SampleData/main/FruitShipments.csv"
]
with(format='csv',ignoreFirstRecord=true);
FruitShipments

which looks like the following:

We can use the where operator to filter our results.

FruitShipments
| where Colour == "Red"

FruitShipments
| where Colour has "Red"

We will also view the results from the contains operator, this way we will see the difference between the has and the contains operator.

FruitShipments
| where Colour contains "Red"

In this blog post, we read about the search operator and we revisited the where and hasĀ  operator briefly. The next blog post will be about combining your search results.

Alternative Text

By Gianni Castaldi

MVP | NinjaCat | Researching and Engineering Cyber Security @ KustoWorks

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close