🌴
The Amazing KQL
  • The Amazing KQL
  • 💠KQL Quick Guide
    • Useful Resources 🔦
    • My favorites 😍
      • search
      • take
      • where
      • summarize
        • arg_max()
        • count, countif
        • dcount, dcountif
        • take_any
      • distinct
      • case
      • project
        • project-reorder
        • project-away
        • project-rename
        • project-keep
      • sort by
      • extend
      • extract
        • extract_all
      • parse
      • stract
      • count
        • countif
      • mv-expand
      • dcount
        • dcountif
      • Create table
      • let
      • join
      • union
      • materialize
    • Need to practice more 🎯
      • toscalar
      • range
      • make-series
      • series_outliers
      • set_differenc
      • pack
      • summarize
        • make_bag
        • make_set, make_list
      • evaluate
        • pivot
        • bag_unpack
        • pack_all
      • mv-expand
      • set_difference
      • render
    • Need to learn later 🐢
      • scan
      • ExtractParseParse-kv-Tabular
      • decode
      • mv-apply
      • prev and next
      • row_cumsum
      • any
      • top-nested
      • Time Series
        • series_stats
        • series_fir
        • series_iir
        • series_fit_line
        • series_fit_2lines
      • Machine Learning
        • basket
        • autocluster
        • diffpatterns
        • reduce
  • 💻Microsoft Endpoint Manager
    • Device Inventory
      • Device OS version
      • Same AAD Device ID and Intune Device ID
Powered by GitBook
On this page
  • 🔍Search everything and not case sensitive
  • 🔍Search matched words with case sensitive
  • 🔍Search from specific tables
  • 🔍Search the value from the specified columnIntu
  • 🔍Search begins with and starts with
  • 🔍Search combined logically
  • 🔍Search with regex
  1. KQL Quick Guide
  2. My favorites 😍

search

PreviousMy favorites 😍Nexttake

Last updated 2 years ago

Use search when you know what are looking for, but don't know from where.

For example, I know I have a device name that starts with THINK, I can't remember what exact name it is and I just want to see what data do I get

A faster way to filter the data that you are looking for is to **** use "where".

🔍Search everything and not case sensitive

search "*think*"

This will return all the results that contain think (not case sensitive) from all columns and all tables

🔍Search matched words with case sensitive

search kind=case_sensitive "THINK460"

🔍Search from specific tables

search in (IntuneDevices, UCClient) "THINK460"

🔍Search the value from the specified columnIntu

// Some code
IntuneDevices
| search DeviceName: "THINK"

🔍Search begins with and starts with

// Search startswith
IntuneDevices
| search * startswith "THINK" 

//Search endswith
IntuneDevices
| search * endswith "01"

🔍Search combined logically

IntuneDevices
| search * endswith "01" and ("Windows" or "iOS")

🔍Search with regex

IntuneDevices
| search DeviceName matches regex "[A-Z]-"
💠
where
search anything and not case sensitive
Search matched words with case sensitive
Search from specific tables