Recently Log Analytics added a neat feature that allows you to see how well your queries run. Because Log Analytics Operators Has and Contains perform similar functions, some have been advising to only use the Has operator as it is the most efficient. However, Has is nice but it is not the be all and end all, there are still valid uses for Contains. While I’m on this subject I’ll show you how I’ve been using the In operator as well.
After running a query you have a toggle button that if you expand you get a number of results about your query like how long it took, age of data etc.
Operator Throw down: Has vs Contains
So how does Has compare to Contains?
I ran these same queries from my Solar Data numerous times. Occasionally one would pop up with 15 Milliseconds. But typically it would be zero.
But that’s limited data from the last 24 hours in the query. However, when we extend the data out by more than a year we start to see a big difference.
156 Milliseconds to 296 Milliseconds. Almost double the amount of time. Case closed right? Clearly Has is faster and more efficient than Contains.
Except, if you don’t know what you’re looking for. Lets look for “Completed” Logic App runs in our logs with only the word Completed in our string.
Using contains results are found.
With has, no results are found.
I started using Has because people were saying it was more efficient, and they are right. However when you don’t know what you are looking for Has is a poor choice as it needs more data in the string. Not an exact match, but more data. For instance if I put in more in my search string I get results.
Conclusion, use Contains if you’re not sure what you are looking for and then convert to Has once you know your data and want to write alerts, incidents, dashboards and workbooks. Unfortunately, it appears Has, Contains and In are all omitted from the KQL Language reference, which is part of the reason I wanted to document it here.
The In Operator
Another very useful operator I’ve found is the In operator. If you’ve opened up any of my recent workbooks like the Logic Apps workbook or Syslog Workbook I used In exclusively there. How is in useful exactly? Well, it allows you to take a field like Computer and compare it to multiple variables that contains multiple Computer names. This allows us to set the parameter outside the query and create a filter. The drop down parameters I typically create in my Workbooks allow you to select All objects, multiple objects or Any one object. And that is how many of my workbooks work with multiple parameters having these functionality.
You can see how that functionality works in this demo of the Syslog workbook.
The query looks like this.
Syslog | where HostName in ({HostName}) or '*' in ({HostName}) | where Facility in ({Facility}) or '*' in ({Facility}) | where SeverityLevel in ({SeverityLevel}) or '*' in ({SeverityLevel}) | summarize count(SeverityLevel) by SeverityLevel
If In is not finding an exact match, for instance I had problems with the full resource ID in my Logic App Workbook, you can use In~ and this ignores case sensitivity.
I hope you found this post on Log Analytics Operators Has, Contains and In useful.