This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 87%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
Is it possible to use contains on a Watchlist?
Like:
let DataOfInterest = (_GetWatchlist('DataWatchlist')| project SearchKey);
| where FieldOfInterest contains (DataOfInterest )
Figured out the problem.
I removed the \ escapes from the directories on the Watchlist.
So now the Watchlist entries look like \directory01\conf\fileA.ini
Results are now filtered as expected.
You can use "in" instead?
let DataOfInterest = _GetWatchlist("ComputerList") | project SearchKey;
Heartbeat
| where Computer in (DataOfInterest )
| summarize count() by Computer
in does not seem to do it.
What I have is a Watchlist of 24 partial directory paths that I am trying to exclude.
Currently the exclusion works when configured in the KQL like this:
| where not(FileSystemPath has_any ("\directory01\conf\fileA.ini", "\directory02\conf\fileB.xml",
"\path01\conf\fileC.xml",
"\path02\conf\fileD.xml")
But when I use similar logic leveraging the Watchlist with the exact same escaped directories as the SearchKey, I get results that are excluded when configured in the KQL.
let FilePath_exclusion = (_GetWatchlist('FileSystemPath')| project SearchKey);
...
| where not(FileSystemPath has_any (FilePath_exclusion))