Is there a way to check if substring in field for Log Analytics?

1
votes

I have a column full of Computers in Log Analytics. An example is, "window432, linus909, windows322, linux432". I am filtering my disk utilization but I also want to filter by the specific word "window" or "lin". Is that possible? I am using Kusto to query so here's an example of my thought process:

Perf
| where Name == "Utilization Percentage"
and "win" in Computer

Something like this. Is that possible? Thank you.

2
azureazure-log-analyticsazure-data-explorerazure-monitoringazure-timeseries-insights
it would help if you can provide a sample input (using the datatable operator) and its matching expected output. specifically - do you want the output to include the entire value of Computer, or only the entries in it that have the win substring - as a single record? as multiple records?Yoni L.
@Yoni only the entries in it that have win. For example, when I do, Computer == "window432", it shows me everything for that computer. I am unfamiliar with datatable but will look it up now.Colorful Codes

2 Answers

2
votes

Based on given information in the question and based on what I understand, the requirement is to filter based on Computer names starting with either "window" or "lin".

If that is the case then you can accomplish the requirement with startswith string operator.

Query would look something like:

Perf
| where CounterName == @"% Processor Time" and InstanceName == "_Total"
| where Computer startswith "window" or Computer startswith "lin"

or

InsightsMetrics
| where Name == "UtilizationPercentage"
| where Computer startswith "window" or Computer startswith "lin"

Similarly, based on the requirement, you may leverage other string operators like "in", "has", "endswith", etc. string operators or any other operators or functions as appropriate. For more information w.r.t it, please refer Kusto Query Language (KQL) documents.

0
votes

If i understand the description correctly, this could work.

It:

  1. splits the original comma separated string using split()
  2. expands those using mv-apply
  3. filters out values that don't contain win
  4. aggregates the remaining values into a new (filtered) comma separated string
datatable(Computers:string, id:int)
[
    "window432, linus909, windows322, linux432", 1,
    "window451, linux459, windows444, linux234", 2,
    "android222, ios222, linux333"             , 3
]
| mv-apply Computer = split(Computers, ", ") on (
    where Computer contains "win"
    | summarize Computers = strcat_array(make_list(Computer), ", ")
)
| where isnotempty(Computers)

input:

| Computers                                 | id |
|-------------------------------------------|----|
| window432, linus909, windows322, linux432 | 1  |
| window451, linux459, windows444, linux234 | 2  |
| android222, ios222, linux333              | 3  |

output:

| id | Computers             |
|----|-----------------------|
| 1  | window432, windows322 |
| 2  | window451, windows444 |