FAQ: How do I query a single field for multiple values?

Page was created:26 Mar 2024

You can query a single field for multiple values using the in() function:

logscale

#event_simpleName=UserLogon
| in(LogonType, values=["2","10"])
| select([@timestmap, UserSid, UserName, LogonType, ClientComputerName])