Query - sStartswith

Table of contents
  1. sStartswith



  search {from="-3d@d",to="@d"} sStartswith("@event_type","@azure")
  let userEmail=f("@azureSignIn.userPrincipalName")

The results are as below. There are 193 records in total with the query “sStartswith(“@event_type”,”@azure”)”, more than the results of “sContent(“@event_type”,”@azureSignIn”)” or “sContains(“@event_type”,”Sign”)”. That means during the past 3 days, there are more than one event type start with “@azure”.

To check how many other event types start with “@azure”, the following commands are given:

  let type=f("@event_type")
  aggregate count() by type

It’s shown that there are two event types start with “@azure”: “@azureDirectoryAudit” and “@azureSignIn”. During the past 3 days, the former one has 5 records.