๐ŸŒด
The Amazing KQL
  • The Amazing KQL
  • ๐Ÿ’ KQL Quick Guide
    • Useful Resources ๐Ÿ”ฆ
    • My favorites ๐Ÿ˜
      • search
      • take
      • where
      • summarize
        • arg_max()
        • count, countif
        • dcount, dcountif
        • take_any
      • distinct
      • case
      • project
        • project-reorder
        • project-away
        • project-rename
        • project-keep
      • sort by
      • extend
      • extract
        • extract_all
      • parse
      • stract
      • count
        • countif
      • mv-expand
      • dcount
        • dcountif
      • Create table
      • let
      • join
      • union
      • materialize
    • Need to practice more ๐ŸŽฏ
      • toscalar
      • range
      • make-series
      • series_outliers
      • set_differenc
      • pack
      • summarize
        • make_bag
        • make_set, make_list
      • evaluate
        • pivot
        • bag_unpack
        • pack_all
      • mv-expand
      • set_difference
      • render
    • Need to learn later ๐Ÿข
      • scan
      • ExtractParseParse-kv-Tabular
      • decode
      • mv-apply
      • prev and next
      • row_cumsum
      • any
      • top-nested
      • Time Series
        • series_stats
        • series_fir
        • series_iir
        • series_fit_line
        • series_fit_2lines
      • Machine Learning
        • basket
        • autocluster
        • diffpatterns
        • reduce
  • ๐Ÿ’ปMicrosoft Endpoint Manager
    • Device Inventory
      • Device OS version
      • Same AAD Device ID and Intune Device ID
Powered by GitBook
On this page
  • ๐Ÿ” Search from a column
  • ๐Ÿ” Search from any column at the start
  • ๐Ÿ”Search from any column at the end
  • ๐Ÿ”Search with regax
  1. KQL Quick Guide
  2. My favorites ๐Ÿ˜

where

PrevioustakeNextsummarize

Last updated 2 years ago

where is similar to search, but it limits based on conditions, rather than looking at all the data. This make the query run much faster than using search

You can read the search chapter again ๐Ÿ‘‡

๐Ÿ” Search from a column

//use where
IntuneDevices
| where DeviceName contains "THINK"

//Use search
IntuneDevices
| search DeviceName: "THINK*"

๐Ÿ” Search from any column at the start

// use where
IntuneDevices
| where * hasprefix "MVP"  // At the start

//use search
IntuneDevices
| search * startswith "MVP" // At the start

๐Ÿ”Search from any column at the end

// use where
IntuneDevices
| where * hassuffix "460"  // At the end

// use search
IntuneDevices
| search * endswith "460"  // At the end

๐Ÿ”Search with regax

// use where
IntuneDevices
| where DeviceName matches regex "[A-Z]-"

//use search
IntuneDevices
| search DeviceName matches regex "[A-Z]-"
๐Ÿ’ 
search