sourcetype="sourcetype1"
| search NOT
[
search sourcetype="sourcetype2"
| stats values(username) as username, values(_time) as _time
]
| stats values(username) as username
You will get the list of unmatched usernames which you could then use to trigger alert
... View more