Kusto Query Language (KQL) - Search Operator

Basic Syntax:

The basic syntax for the search operator is as follows:

TableName
| search [column] for [searchPattern]
    

• TableName: Specifies the name of the table you want to search within.
• column: Specifies the name of the column you want to search in.
• searchPattern: Specifies the pattern or value you want to search for within the specified column.

Common Use Cases:

1. Exact Match:

You can use search to find rows where a specific column exactly matches a given value. For example:

MyTable
| search MyColumn for "specific value"
    

2. Partial Match:

You can search for rows where a column contains a specific substring or partial match. For example:

MyTable
| search MyColumn for "partial"
    

3. Case-Insensitive Search:

To perform a case-insensitive search, you can use the tolower() function in conjunction with search. This will match values regardless of their case:

MyTable
| search tolower(MyColumn) for "partial"
    

4. Regular Expressions:

KQL supports regular expressions (regex) for more complex pattern matching. You can use the regex keyword within search for this purpose:

MyTable
| search MyColumn regex @"pattern\d{2,4}"
    

5. Searching Multiple Columns:

You can search multiple columns in a table by using multiple search operators or combining them with or:

MyTable
| search Column1 for "value1" or Column2 for "value2"
    

6. Boolean Search:

You can use boolean operators like and, or, and not to create complex search conditions:

MyTable
| search (Column1 for "value1" or Column2 for "value2") and not (Column3 for "value3")
    

7. Filtering Rows:

The search operator can be used as a filter to retrieve rows that match the search criteria. For example:

MyTable
| where searchColumn for "value"
    

The search operator is a versatile tool for searching and filtering data in Kusto Query Language, making it useful for a wide range of scenarios where you need to find specific information within your data tables.