has operator

Applies to: ✅ Azure Data ExplorerAzure MonitorMicrosoft Sentinel

Filters a record set for data with a case-insensitive string. has searches for indexed terms, where an indexed term is three or more characters. If your term is fewer than three characters, the query scans the values in the column, which is slower than looking up the term in the term index.

The following table compares the has operators using the abbreviations provided:

  • RHS = right-hand side of the expression
  • LHS = left-hand side of the expression
Operator Description Case-Sensitive Example (yields true)
has Right-hand-side (RHS) is a whole term in left-hand-side (LHS) No "North America" has "america"
!has RHS isn't a full term in LHS No "North America" !has "amer"
has_cs RHS is a whole term in LHS Yes "North America" has_cs "America"
!has_cs RHS isn't a full term in LHS Yes "North America" !has_cs "amer"

For more information about other operators and to determine which operator is most appropriate for your query, see datatype string operators.

Performance tips

Note

Performance depends on the type of search and the structure of the data. For best practices, see Query best practices.

When possible, use the case-sensitive has_cs.

Syntax

T | where Column has (Expression)

Learn more about syntax conventions.

Parameters

Name Type Required Description
T string ✔️ The tabular input whose records are to be filtered.
Column string ✔️ The column used to filter the records.
Expression scalar or tabular ✔️ An expression for which to search. If the value is a tabular expression and has multiple columns, the first column is used.

Returns

Rows in T for which the predicate is true.

Example

StormEvents
| summarize event_count=count() by State
| where State has "New"
| where event_count > 10
| project State, event_count

Output

State event_count
NEW YORK 1,750
NEW JERSEY 1,044
NEW MEXICO 527
NEW HAMPSHIRE 394