FAQ: How do I query a single field for multiple values?

Reading time: 0 minutes

You can query a single field for multiple values using the in() function:

logscale

#event_simpleName=UserLogon
| in(LogonType, values=["2","10"])
| select([@timestmap, UserSid, UserName, LogonType, ClientComputerName])