String operators

Axiom processing language provides you with different query operators for searching string data types. Below are the list of string operators we support on Axiom processing language. Note: The following abbreviations are used in the table below:
  • RHS = right hand side of the expression.
  • LHS = left hand side of the expression.
Operators with an _cs suffix are case sensitive When two operators do the same task, use the case-sensitive one for better performance. For example:
  • instead of =~, use ==
  • instead of in~, use in
  • instead of contains, use contains_cs
The table below shows the list of string operators supported by Axiom processing language:
OperatorDescriptionCase-SensitiveExample
==EqualsYes"aBc" == "aBc"
!=Not equalsYes"abc" != "ABC"
=~EqualsNo"abc" =~ "ABC"
!~Not equalsNo"aBc" !~ "xyz"
containsRHS occurs as a subsequence of LHSNoparentSpanId contains Span
!containsRHS doesn’t occur in LHSNoparentSpanId !contains abc
contains_csRHS occurs as a subsequence of LHSYesparentSpanId contains_cs “Id”
!contains_csRHS doesn’t occur in LHSYesparentSpanId !contains_cs “Id”
startswithRHS is an initial subsequence of LHSNoparentSpanId startswith parent
!startswithRHS isn’t an initial subsequence of LHSNoparentSpanId !startswith “Id”
startswith_csRHS is an initial subsequence of LHSYesparentSpanId startswith_cs “parent”
!startswith_csRHS isn’t an initial subsequence of LHSYesparentSpanId !startswith_cs “parent”
endswithRHS is a closing subsequence of LHSNoparentSpanId endswith “Id”
!endswithRHS isn’t a closing subsequence of LHSNoparentSpanId !endswith Span
endswith_csRHS is a closing subsequence of LHSYesparentSpanId endswith_cs Id
!endswith_csRHS isn’t a closing subsequence of LHSYesparentSpanId !endswith_cs Span
inEquals to one of the elementsYesabc in (“123”, “345”, “abc”)
!inNot equals to any of the elementsYes”bca” !in (“123”, “345”, “abc”)
in~Equals to one of the elementsNo”abc” in~ (“123”, “345”, “ABC”)
!in~Not equals to any of the elementsNo”bca” !in~ (“123”, “345”, “ABC”)
!matches regexLHS doesn’t contain a match for RHSYesparentSpanId !matches regex g.*r
matches regexLHS contains a match for RHSYesparentSpanId matches regex g.*r
hasRHS is a whole term in LHSNoContent Type has text
has_csRHS is a whole term in LHSYesContent Type has_cs Text

Use string operators efficiently

String operators are fundamental in comparing, searching, or matching strings. Understanding the performance implications of different operators can significantly optimize your queries. Below are performance tips and query examples.

Equality and Inequality Operators

  • Operators: ==, !=, =~, !~, in, !in, in~, !in~
Query Examples: 
"get" == "get"
"get" != "GET"
"get" =~ "GET"
"get" !~ "put"
"get" in ("get", "put", "delete")
  • Use == or != for exact match comparisons when case sensitivity is important, as they are faster.
  • Use =~ or !~ for case-insensitive comparisons, or when the exact case is unknown.
  • Use in or !in for checking membership within a set of values, which can be efficient for a small set of values.

Subsequence Matching Operators

  • Operators: contains, !contains, contains_cs, !contains_cs, startswith, !startswith, startswith_cs, !startswith_cs, endswith, !endswith, endswith_cs, !endswith_cs.
Query Examples: 
"parentSpanId" contains "Span" // True
"parentSpanId" !contains "xyz" // True
"parentSpanId" startswith "parent" // True
"parentSpanId" endswith "Id" // True
"parentSpanId" contains_cs "Span" // True if parentSpanId is "parentSpanId", False if parentSpanId is "parentspanid" or "PARENTSPANID"
"parentSpanId" startswith_cs "parent" // True if parentSpanId is "parentSpanId", False if parentSpanId is "ParentSpanId" or "PARENTSPANID"
"parentSpanId" endswith_cs "Id" // True if parentSpanId is "parentSpanId", False if parentSpanId is "parentspanid" or "PARENTSPANID"
  • Use case-sensitive operators (contains_cs, startswith_cs, endswith_cs) when the case is known, as they are faster.

Regular Expression Matching Operators

  • Operators: matches regex, !matches regex
"parentSpanId" matches regex "p.*Id" // True
"parentSpanId" !matches regex "x.*z" // True
  • Avoid complex regular expressions or use string operators for simple substring, prefix, or suffix matching.

Term Matching Operators

  • Operators: has, has_cs
Query Examples: 
"content type" has "type" // True
"content type" has_cs "Type" // False
  • Use has or has_cs for term matching which can be more efficient than regular expression matching for simple term searches.
  • Use has_cs when the case is known, as it is faster due to case-sensitive matching.

Best Practices

  • Always use case-sensitive operators when the case is known, as they are faster.
  • Avoid complex regular expressions for simple matching tasks; use simpler string operators instead.
  • When matching against a set of values, ensure the set is as small as possible to improve performance.
  • For substring matching, prefer prefix or suffix matching over general substring matching for better performance.

has operator

The has operator in APL filters rows based on whether a given term or phrase appears within a string field.

Importance of the has operator:

  • Precision Filtering: Unlike the contains operator, which matches any substring, the has operator looks for exact terms, ensuring more precise results.
  • Simplicity: Provides an easy and readable way to find exact terms in a string without resorting to regex or other more complex methods.
The following table compares the has operators using the abbreviations provided:
  • RHS = right-hand side of the expression
  • LHS = left-hand side of the expression
OperatorDescriptionCase-SensitiveExample
hasRight-hand-side (RHS) is a whole term in left-hand-side (LHS)No”North America” has “america”
has_csRHS is a whole term in LHSYes”North America” has_cs “America”
hassuffixLHS string ends with the RHS stringNo”documentation.docx” hassuffix “.docx”
hasprefixLHS string starts with the RHS stringNo”Admin_User” hasprefix “Admin”
hassuffix_csLHS string ends with the RHS stringYes”Document.HTML” hassuffix_cs ”.HTML”
hasprefix_csLHS string starts with the RHS stringYes”DOCS_file” hasprefix_cs “DOCS”

Syntax

['Dataset'] 
| where Field has (Expression)

Parameters

NameTypeRequiredDescription
FieldstringThe field filters the events.
Expressionscalar or tabularAn expression for which to search. The first field is used if the value of the expression has multiple fields.

Returns

The has operator returns rows from the dataset where the specified term is found in the given field. If the term is present, the row is included in the result set; otherwise, it is filtered out.

Example

['sample-http-logs']
| summarize event_count = count() by content_type
| where content_type has "text"
| where event_count > 10
| project event_count, content_type
Run in Playground

Output

event_countcontent_type
132,765text/html
132,621text/plain-charset=utf-8
89,085text/csv
88,436text/css