SOLVED

Unable to query signinlogs for multiple users

%3CLINGO-SUB%20id%3D%22lingo-sub-2585025%22%20slang%3D%22en-US%22%3EUnable%20to%20query%20signinlogs%20for%20multiple%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2585025%22%20slang%3D%22en-US%22%3EHi%20Team%2C%3CBR%20%2F%3EI'm%20trying%20to%20query%20signinlogs%20table%20for%20last%20x%20days%20for%20multiple%20users%20at%20a%20time%20but%20unable%20to%20get%20results.%20I'm%20using%20UserDisplayName%20contains%20field%20followed%20by%20%22and%22%20operator%20to%20seperate%20each%20user%20name%20but%20no%20go%20%2Ccan%20somebody%20from%20community%20help.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2585232%22%20slang%3D%22en-US%22%3ERe%3A%20Unable%20to%20query%20signinlogs%20for%20multiple%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2585232%22%20slang%3D%22en-US%22%3EIf%20you%20know%20their%20userprincipalnames%20you%20can%20use%20the%20in%20operator%3CBR%20%2F%3E%3CBR%20%2F%3ESigninLogs%3CBR%20%2F%3E%7C%20where%20TimeGenerated%20%26gt%3B%20ago(14d)%3CBR%20%2F%3E%7C%20where%20UserPrincipalName%20in~%20(%22user1%40domain.com%22%2C%20%22user2%40domain.com%22%2C%20%22user3%40domain.com%22)%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20you%20want%20to%20use%20multiple%20contains%2C%20you%20want%20the%20'or'%20operator%2C%20and%20would%20mean%20a%20sign%20on%20log%20would%20need%20to%20match%20all%20the%20conditions%3CBR%20%2F%3E%3CBR%20%2F%3ESigninLogs%3CBR%20%2F%3E%7C%20where%20TimeGenerated%20%26gt%3B%20ago(7d)%3CBR%20%2F%3E%7C%20where%20UserDisplayName%20contains%20%22Bob%20Smith%22%20or%20UserDisplayName%20contains%20%22Jane%20Jon%22%20or%20UserDisplayName%20contains%20%22Dinesh%20G%22%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E
Occasional Contributor
Hi Team,
I'm trying to query signinlogs table for last x days for multiple users at a time but unable to get results. I'm using UserDisplayName contains field followed by "and" operator to seperate each user name but no go ,can somebody from community help.
2 Replies
best response confirmed by Dinesh_G (Occasional Contributor)
Solution
If you know their userprincipalnames you can use the in operator

SigninLogs
| where TimeGenerated > ago(14d)
| where UserPrincipalName in~ ("user1@domain.com", "user2@domain.com", "user3@domain.com")

If you want to use multiple contains, you want the 'or' operator, and would mean a sign on log would need to match all the conditions

SigninLogs
| where TimeGenerated > ago(7d)
| where UserDisplayName contains "Bob Smith" or UserDisplayName contains "Jane Jon" or UserDisplayName contains "Dinesh G"
Thank you Zorich, with ~in operator I'm able get the results for multiple users but the query with contains not giving the results.Anyway I got what I want thanks