Whas is the difference between the has and contains operators in KQL?

Here is the has operator documentation. Here is the documentation for the contains operator.

Both of them check for an existence of a case insensitive string. So, does it mean that the usage of one operator over the other is just a matter of taste?

CodePudding user response：

contains looks for a substring while has looks for whole term.

A term is a sequence of alpha-numeric ASCII character (see What is a term?).

contains will always return true if a substring exists.
has result depends on the surrounding of the substring.

Why should we prefer has over contains?
TL;DR: performance.

Azure Data Explorer (AKA ADX, AKA Kusto), indexes every term of 3 characters long or more.
When we use has the optimizer is likely to use the index (Not always. E.g., if the term is highly common, there might be no point using an index).
When we use contains the index is not being used and the data itself is scanned for the substring.

The index is what enable ADX to return search results in sub-seconds/seconds even when the searched is done on Petabytes.

Here are some examples.
Note the following:

• contains always finds the searched substring (hell or hello).
• has never finds the substring hell.
• has finds the searched substring helloas long as it is not a part of a longer alpha-numeric sequence.

datatable(txt:string)
[
    "Hello World"
   ,"<Hello-World>"
   ,"*Hello*World*"
   ,"?Hello%World!"
   ,"_Hello_World_"
   ,"123Hello-World456"
   ,"abcHello Worldxyz"
   ,"HelloWorld"
]
| extend contains_hell  = txt contains  "hell"
        ,contains_hello = txt contains  "hello"
        ,has_hell       = txt has       "hell"
        ,has_hello      = txt has       "hello"

Fiddle