has_all operator
Filters a record set for data with one or more case-insensitive search strings. has searches for indexed terms, where a term is three or more characters. If your term is fewer than three characters, the query scans the values in the column, which is slower than looking up the term in the term index.
For more information about other operators and to determine which operator is most appropriate for your query, see datatype string operators.
Performance tips
Note
Performance depends on the type of search and the structure of the data.
For faster results, use the case-sensitive version of an operator, for example, has_cs, not has. For best practices, see Query best practices.
Syntax
T | where Column has_all (list of scalar expressions)
T | where Column has_all (tabular expression)
Arguments
- T: Tabular input whose records are to be filtered.
- Column: Column to filter.
- list of expressions: Comma separated list of tabular, scalar, or literal expressions.
- tabular expression: Tabular expression that has a set of values (if expression has multiple columns, the first column is used).
Returns
Rows in T for which the predicate is true
Note
- The expression list can produce up to
256values. - For tabular expressions, the first column of the result set is selected.
Examples
Use has_all operator with a list
StormEvents
| where EpisodeNarrative has_all ("cold", "strong", "afternoon", "hail")
| summarize Count=count() by EventType
| top 3 by Count
Output
| EventType | Count |
|---|---|
| Thunderstorm Wind | 517 |
| Hail | 392 |
| Flash Flood | 24 |
Use has_all operator with a dynamic array
The same result can be achieved using a dynamic array notation:
let keywords = dynamic(["cold", "strong", "afternoon", "hail"]);
StormEvents
| where EpisodeNarrative has_all (keywords)
| summarize Count=count() by EventType
| top 3 by Count
Output
| EventType | Count |
|---|---|
| Thunderstorm Wind | 517 |
| Hail | 392 |
| Flash Flood | 24 |
Feedback
Submit and view feedback for