contains Search Operator
The contains
operator compares string values of two parsed fields and returns a boolean result based on whether the second field's value exists in the first.
Syntax
contains(<field1>, <field2>) as <field>
<field1> contains <field2> as <field>
| where <field1> contains <field2>
| where contains(<field1>, <field2>)
Rules
- Requires field values to be strings. You may cast values if needed.
- The full string of field2 must exist within field1.
- Comparison is case sensitive.
- Returns
true
when the value from field2 was found andfalse
when the value was not found in field1. - Returns
true
if field1 and field2 are empty, andfalse
when only one is empty.
Example
Given the following example log:
instance of alertNotification{ EventIdentifier = 100; Address = 123 Main Street, San Francisco, California; City = San Francisco; State = CA;}
Parsing the log so the fields are city
with the value "San Francisco" and address
with the value "123 Main Street, San Francisco, California" you'd use the contains operator to return the log if the value of city
is found in the value of address
.
| where contains(address, city)