0

I am very new to kql, and i am stuck on this query. I am looking to have query display which users have had sign-ins from different states. I created this query, but i do not know how to count the results in the column "names".

SigninLogs
| project tostring(LocationDetails.state), UserDisplayName
| extend p =pack( 'Locations', LocationDetails_state)
| summarize names = make_set(p)  by UserDisplayName

This generates a column "names" with a row like so:

[{"Locations":"Arkansas"},{"Locations":"Iowa"},{"Locations":""}]

Here is a simple query that grabs all sign-ins from users and another column with the locations.

SigninLogs
| where ResultType == "0"
| summarize by UserDisplayName, tostring(LocationDetails.state)

Is there a way to combine the duplicates of users column, and then display each location in the second? If so, could i count each location in order to filter by where location is > 1?

Improve this question

1 Answer 1

Reset to default
0

I am looking to have query display which users have had sign-ins from different states

Assuming I understood your question correctly, this could work (using array_length()):

SigninLogs
| project State = tostring(LocationDetails.state), UserDisplayName
| summarize States = make_set(State) by UserDisplayName
| where array_length(States) > 1 // filter users who had sign-ins from *more than 1 state*
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thank you! this works, i felt like i tried this but i guess not

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.