cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Unable to query signinlogs for multiple users

Dinesh_G
Copper Contributor

‎Jul 25 2021 12:54 PM

‎Jul 25 2021 12:54 PM

Unable to query signinlogs for multiple users

Hi Team,
I'm trying to query signinlogs table for last x days for multiple users at a time but unable to get results. I'm using UserDisplayName contains field followed by "and" operator to seperate each user name but no go ,can somebody from community help.
686 Views
0 Likes
2 Replies
Reply
2 Replies
best response confirmed by Dinesh_G (Copper Contributor)
m_zorich

‎Jul 25 2021 04:28 PM

‎Jul 25 2021 04:28 PM

Solution

Re: Unable to query signinlogs for multiple users

If you know their userprincipalnames you can use the in operator

SigninLogs
| where TimeGenerated > ago(14d)
| where UserPrincipalName in~ ("user1@domain.com", "user2@domain.com", "user3@domain.com")

If you want to use multiple contains, you want the 'or' operator, and would mean a sign on log would need to match all the conditions

SigninLogs
| where TimeGenerated > ago(7d)
| where UserDisplayName contains "Bob Smith" or UserDisplayName contains "Jane Jon" or UserDisplayName contains "Dinesh G"
0 Likes
Reply
Dinesh_G

‎Jul 25 2021 04:49 PM

‎Jul 25 2021 04:49 PM

Re: Unable to query signinlogs for multiple users

Thank you Zorich, with ~in operator I'm able get the results for multiple users but the query with contains not giving the results.Anyway I got what I want thanks
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Dinesh_G (Copper Contributor)
m_zorich

‎Jul 25 2021 04:28 PM

‎Jul 25 2021 04:28 PM

Solution

Re: Unable to query signinlogs for multiple users

If you know their userprincipalnames you can use the in operator

SigninLogs
| where TimeGenerated > ago(14d)
| where UserPrincipalName in~ ("user1@domain.com", "user2@domain.com", "user3@domain.com")

If you want to use multiple contains, you want the 'or' operator, and would mean a sign on log would need to match all the conditions

SigninLogs
| where TimeGenerated > ago(7d)
| where UserDisplayName contains "Bob Smith" or UserDisplayName contains "Jane Jon" or UserDisplayName contains "Dinesh G"

View solution in original post

0 Likes
Reply