Search Operator

Learn how to fully use KQL's `search` operator

The search operator allows you to search for data across multiple tables and/or columns. However, it is less efficient when compared to the where operator. Despite its inefficiency, the search operator is useful when you are unsure of which table or column to filter for granular search.

Examples

Searching Across Multiple Tables

The below query will search for the word "error" within the SecurityEvent , SecurityDetection , and SecurityAlert tables for the last 7 days.

Searching Across All the Logs

The query below will search for "threat" across all tables. This could be used to search across all tables for malicious activities. Click the drop-down from any of the entries to see more details.

Searching for a Specific Item From a Particular Table

The below query will search for every event relating to the address "13.89.179.10" in the AzureNetworkAnalyticsIPDetails_CL table.

AzureNetworkAnalyticsIPDetails_CL
| search "13.89.179.10"

Note: CL means Custom Log; it implies any imported table. It also differentiates the built-in tables from the custom tables because most logs have the same table names.