Muokkaa

Jaa


!has operator

Applies to: ✅ Microsoft FabricAzure Data ExplorerAzure MonitorMicrosoft Sentinel

Filters a record set for data that doesn't have a matching case-insensitive string. !has searches for indexed terms, where an indexed term is three or more characters. If your term is fewer than three characters, the query scans the values in the column, which is slower than looking up the term in the term index.

The following table compares the has operators using the abbreviations provided:

  • RHS = right-hand side of the expression
  • LHS = left-hand side of the expression
Operator Description Case-Sensitive Example (yields true)
has Right-hand-side (RHS) is a whole term in left-hand-side (LHS) No "North America" has "america"
!has RHS isn't a full term in LHS No "North America" !has "amer"
has_cs RHS is a whole term in LHS Yes "North America" has_cs "America"
!has_cs RHS isn't a full term in LHS Yes "North America" !has_cs "amer"

For more information about other operators and to determine which operator is most appropriate for your query, see datatype string operators.

Performance tips

Note

Performance depends on the type of search and the structure of the data. For best practices, see Query best practices.

When possible, use the case-sensitive !has_cs.

Syntax

T | where column !has (expression)

Learn more about syntax conventions.

Parameters

Name Type Required Description
T string ✔️ The tabular input whose records are to be filtered.
column string ✔️ The column by which to filter.
expression scalar ✔️ The scalar or literal expression for which to search.

Returns

Rows in T for which the predicate is true.

Example

StormEvents
| summarize event_count=count() by State
| where State !has "NEW"
| where event_count > 3000
| project State, event_count

Output

State event_count
TEXAS 4,701
KANSAS 3,166