Hi all!
I have been absolutely stumped by this and hoping you can help me out. I am trying to find users that have 2 different, distinct events that happen on the same day. One event can occur at any time of the day, and the second event occurs between 6-8 am. The closest I have gotten is: index=Info source=Trustme (EventCode=X OR EventCode=Y) | eval hour=tonumber(strftime(_time,"%H")) | where hour>=8 OR hour<0 | stats values(EventCode) as Event_Codes by User | search Event_Codes=X Event_Codes=Y This is clipping out users who have Event Y occur outside of that range, which I would like to avoid. Also, I want to cast this over a large period to test and make sure I'm capturing the right people, then I can hopefully set it up as an alert.
Any help would be greatly appreciated!
... View more