!contains operator
Applies to: ✅ Azure Data Explorer ✅ Azure Monitor ✅ Microsoft Sentinel
Filters a record set for data that doesn't include a case-sensitive string. !contains
searches for characters rather than terms of three or more characters. The query scans the values in the column, which is slower than looking up a term in a term index.
The following table compares the contains
operators using the abbreviations provided:
- RHS = right-hand side of the expression
- LHS = left-hand side of the expression
Operator | Description | Case-Sensitive | Example (yields true ) |
---|---|---|---|
contains |
RHS occurs as a subsequence of LHS | No | "FabriKam" contains "BRik" |
!contains |
RHS doesn't occur in LHS | No | "Fabrikam" !contains "xyz" |
contains_cs |
RHS occurs as a subsequence of LHS | Yes | "FabriKam" contains_cs "Kam" |
!contains_cs |
RHS doesn't occur in LHS | Yes | "Fabrikam" !contains_cs "Kam" |
For more information about other operators and to determine which operator is most appropriate for your query, see datatype string operators.
Performance tips
Note
Performance depends on the type of search and the structure of the data. For best practices, see Query best practices.
When possible, use the case-sensitive !contains_cs.
Use !has
if you're looking for a term.
Syntax
Case insensitive syntax
T |
where
Column !contains
(
Expression)
Learn more about syntax conventions.
Parameters
Name | Type | Required | Description |
---|---|---|---|
T | string |
✔️ | The tabular input whose records are to be filtered. |
Column | string |
✔️ | The column by which to filter. |
Expression | scalar | ✔️ | The scalar or literal expression for which to search. |
Returns
Rows in T for which the predicate is true
.
Example
StormEvents
| summarize event_count=count() by State
| where State !contains "kan"
| where event_count > 3000
| project State, event_count
Output
State | event_count |
---|---|
TEXAS | 4701 |