Good morning, I'm doing a search to bring users and their first log in of the day and their last log off.
I made the following query, but I can not get the first line of the 4624 and the last one of the 4636 in the same line.
@yassy ,
Give this a try
index="your index" day="your day field"
|stats earliest(eval(if(EventCode="4624",_time,null()))) as PrimerLogin,
last(eval(if(EventCode="4634 ",_time,null()))) as UltimoLogoff by User,day
Tks finally i resolve it with this search
index=wineventlog (EventCode="4624" ) Account_Name!=AdminSp Account_Name!=AdminCitrix
| regex Account_Name!=".*\$"
| eval Day=strftime(_time,"%d/%m/%Y")
| eval User=mvindex(Account_Name,1)
| eval Time=strftime(_time,"%d/%m/%Y %H.%M.%S")
| stats earliest(Time) as PrimerLogin by User,Day
| join User,Day
[search
index=wineventlog (EventCode="4634" ) Account_Name!=AdminSp Account_Name!=AdminCitrix
| regex Account_Name!=".*\$"
| eval Day=strftime(_time,"%d/%m/%Y")
| eval User=Account_Name
| eval Time=strftime(_time,"%d/%m/%Y %H.%M.%S")
| stats latest(Time) as UltimoLogoff by User,Day
]
| stats values(PrimerLogin) as PrimerLogin,values(UltimoLogoff) as UltimoLogoff by User,Day
@yassy , avoid join
if possible. Wasn't the earlier search provided working?