Contains

Kusto

Definition

The `contains` operator checks whether a piece of text includes a certain sequence of letters anywhere inside it. It does not matter where the sequence appears. It also does not matter if the letters are uppercase or lowercase. If the characters show up in the same order, the condition is true.

This operator is useful when you know part of what you are looking for, but you do not know the exact full word or the exact position of the text. It helps you discover patterns that might be hidden inside larger strings.

**Example**

```
| where URL contains "login"
```

This returns URLs such as:

* `login.php`
* `customer-login`
* `securelogin.example.com`

All of these contain the letters “login” in the same order.

---

**How it differs from `has`**

`has` looks for a complete word.
`contains` looks for the characters anywhere, even if they appear inside a larger word.

With the search term `admin`:

```
| where Message contains "admin"
```

Matches:

* “admin logged in”
* “administrator reset password”
* “role=superadmin”

```
| where Message has "admin"
```

Matches:

* “admin logged in”
  Does not match:
* “administrator reset password”
* “role=superadmin”

This is because `admin` must appear as its own token for `has` to return true.

---

**Why it matters**

Choosing the correct operator affects the accuracy of your results.

* `contains` may find more matches, but can sometimes return unrelated values because the letter sequence appears by chance.
* `has` returns fewer matches and is better when you want cleaner, more focused results based on whole words.

Understanding the difference helps analysts write precise queries and avoid misleading results.

Contains

Definition

Explore More Terms