Skip to main content Link Search Menu Expand Document (external link)

Query - sContent

Table of contents
  1. sContent in the ‘search’ pipe
  2. sContent in data processing

sContent in the ‘search’ pipe

Example:

  search {from="-3d@d",to="@d"} sContent("@event_type","@azureSignIn")
  let userEmail=f("@azureSignIn.userPrincipalName")

The results are as below. There are 188 records in total, with the query “sContent(“@event_type”,”@azureSignIn”)”.

sContent in data processing

Example:

load resource ADUser
let {customer, name, msDSPrincipalName,sAMAccountName, description, pwdLastSetTime, dayIndex, propertyFlags} =f("@ADUser")
where sContent(propertyFlags,"ACCOUNTDISABLE")
aggregate duplicate=count() by sAMAccountName