I have been working with Defender ATP, and have parsed multiple columns but due to email security I have had to parse seperated columns in the format 'potentialPhishURL' and 'potentialPhishURL_vendor', in doing so I now have two columns, where usually when the vendor has applied a shim to the URL, the standard parse fails, and so with strcat("potentialPhishURL", "potentialPhishURL_vendor") does not work as sometimes both fields are populated.
When both of these columns are populated (potentialPhishURL and potentialPhishURL_vendor) they obviously merge disgustingly and not how I need it (unique values or strcat_if empty) I guess.
Does anyone have any experience with how this is done? Merging a couple of columns in KQL when one of the columns is empty on the same row?
Thanks for reading/ helping if you can!
You should use the iff() function, something like:
iff(isempty(col2), col1, strcat(col1, col2))