How to create a whitelist with two fields in KQL with a Watchlist?
I need to make a query that checks if an event doesn't match two fields from a watchlist. Context: I have a watchlist with two fields, one is a user email and other is a country code, this allows me to ignore events from users who are in an specific country and I don't need to see.
I know how to validate watchlists with one single field:
| where Username !in (_GetWatchlist("query_WL")|project Username)
I am translating queries from Splunk, but this logic doesn't work at all:
Splunk:
| search NOT [ | inputlookup query_WL.csv | fields Username CountryCode]
KQL
| where Username !in (_GetWatchlist("query_WL")|project Username) and CountryCode !in (_GetWatchlist("query_WL")|project CountryCode)
This is blowing my mind, I don't know how to do the same in KQL.
Solution
You could anti-join the fields UserName and CountryCode:
let Blacklist = datatable(
UserName: string,
CountryCode: string
)
[
"John", "DE",
"John", "US"
];
let Data = datatable(
UserName: string,
CountryCode: string
)
[
"John", "DE",
"John", "US",
"Mat", "DE",
"William", "UK",
];
Data
| join kind = anti(Blacklist) on UserName, CountryCode
Result:
Find sample Code here.
- trying to find out week of year in kql
- Azure Data Explorer - plot graph per user over time
- Parse array & json to right numbers of column
- Turning off Kusto database cache policy not reflecting in reduced cache as shown by .show cache command
- Kusto command for generating create table & function script
- Get percent value from total sum row in pivot mode
- How to ingest inline into Azure Data Explorer Table from PowerShell?
- Using KQL and externaldata() operator to pull infromation from json file
- ADF Copy activity is making double column in adx as "infinity" for 1.7976931348623157E308 value
- Can I send data from Azure monitor / fabric to metabase
- KQL: how to exclude first and last incomplete bin?
- KQL query to extend new column with other row values
- How to create an empty bag in KQL?
- Column contains text contains other column
- Kql function to append columns
- Applying a KQL query to the transform_kql parameter through terraform
- KQL query to list the secrets and keys in keyvault that are expired or going to expire in 7 days
- Monitor HTTP traffic for Azure Web App using Log analytics and KQL query
- How to hide or change legend in "Run query and visualize results" logic app function?
- How to calculate time difference between the latest entries of two indirectly tables in Kusto (KQL)?
- Calculate the number of overlapping days for each device using KQL
- How good is performance of "has" operator in Kusto when RHS is not exactly one term?
- how to retrieve all resources under given subnet using Azure Resource Graph Explorer query
- Count how many elements are in an array created by make_set in kusto language
- Inserting data in KQL
- Stuck at PIM Diagnostics via KQL
- union with all fields
- How to create an Alert for Data Collection Rule deletion across all VMs in a subscription?
- Are joins within the same cluster consistent and isolated in Azure Data Explore?
- How to run Get Kusto query using Rest API