Forum Discussion
Solved
Unable to query signinlogs for multiple users
Hi Team,
I'm trying to query signinlogs table for last x days for multiple users at a time but unable to get results. I'm using UserDisplayName contains field followed by "and" operator to seperate each user name but no go ,can somebody from community help.
I'm trying to query signinlogs table for last x days for multiple users at a time but unable to get results. I'm using UserDisplayName contains field followed by "and" operator to seperate each user name but no go ,can somebody from community help.
- If you know their userprincipalnames you can use the in operator
SigninLogs
| where TimeGenerated > ago(14d)
| where UserPrincipalName in~ ("user1@domain.com", "user2@domain.com", "user3@domain.com")
If you want to use multiple contains, you want the 'or' operator, and would mean a sign on log would need to match all the conditions
SigninLogs
| where TimeGenerated > ago(7d)
| where UserDisplayName contains "Bob Smith" or UserDisplayName contains "Jane Jon" or UserDisplayName contains "Dinesh G"
- If you know their userprincipalnames you can use the in operator
SigninLogs
| where TimeGenerated > ago(14d)
| where UserPrincipalName in~ ("user1@domain.com", "user2@domain.com", "user3@domain.com")
If you want to use multiple contains, you want the 'or' operator, and would mean a sign on log would need to match all the conditions
SigninLogs
| where TimeGenerated > ago(7d)
| where UserDisplayName contains "Bob Smith" or UserDisplayName contains "Jane Jon" or UserDisplayName contains "Dinesh G"- Thank you Zorich, with ~in operator I'm able get the results for multiple users but the query with contains not giving the results.Anyway I got what I want thanks
