question

Kim Strasser avatar image
Kim Strasser asked

How can I only display events that contain a certain string in Data Explorer (advanced)?

I only want to display the events in Data Explorer (advanced) that contain a certain string, for example "Playerscore". But my code is not working because the events have ExecutionResult like this: "Playerscore: 5500", "Playerscore: 5907", "Itemsused: 8".

My code only works if I enter the exact string like for example "Playerscore: 5500" instead of "Playerscore". Then, it displays the event where ExecutionResult = "Playerscore: 5500". But I want to display all the events that contain the string "Playerscore" in ExecutionResult.

How can I only display the events("Playerscore: 5500", "Playerscore: 5907") that contain "Playerscore"?

['events.all']
| where FullName_Name == 'player_reported_as_abusive'
| extend d=parse_json(EventData) 
| extend ExecutionResult = d.Comment
| where ExecutionResult == "Playerscore"
PlayStream
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

·
Gosen Gao avatar image
Gosen Gao answered

“==” means equal while “has” means to contain. You may write your query like this.

| where ExecutionResult == "Playerscore" => | where ExecutionResult has "Playerscore".

10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.