I made some slight modifications to correct, but no dice. Managed to get zero returns.

sourcetype=cisco:ise:syslog log_type=Pass*
 | sort 0 + _time
 | streamstats current=false window=1 values(SelectedAuthorizationProfiles) as previousAuth by Calling_Station_ID
 | where SelectedAuthorizationProfiles!=previousAuth
 | timechart span=1h dc(Calling_Station_ID) as "# of Changes"

@elliottrl , I wanted to let you know that I figured out why the query I gave you didn't work after playing around with a similar use case I ran into. I did not added a necessary command on the streamstats for this to function properly:

 sourcetype=cisco:ise:syslog log_type=Pass*
  | sort 0 + _time
  | streamstats current=false window=1 global=f values(SelectedAuthorizationProfiles) as previousAuth by Calling_Station_ID
  | where SelectedAuthorizationProfiles!=previousAuth
  | timechart span=1h dc(Calling_Station_ID) as "# of Changes"

The global=f flag was critical for this to function due to the command defaulting to true per the documentation of streamstats:

global Syntax: global=
Description: Used only when the window
argument is set. Defines whether to
use a single window, global=true, or
to use separate windows based on the
by clause. If global=false and window
is set to a non-zero value, a separate
window is used for each group of
values of the field specified in the
by clause. Default: true

https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Streamstats

I have updated the original answer as well with this correction. I can confirm that making that one modification made a difference in my similar use case.

So, the query does work, but the results differ from what I originally posted in that I'm getting different counts per hour. I'll do some more digging from my end to see if I can figure the delta out. Appreciate the help!

I took a look at your original query and I can see why it's returning different results. Your orignal evals to generate auth1 and auth2 are using mvindex with auth1 being 1 and auth2 being 2 in your mvindex command. When using mvindex, 0 is the first result of the multi-valued field and 1 is the second result. Your auth1 and auth2 were the second and third results of the multi-valued field authz. This means your where clause was saying you don't want the second and third results to match, which ultimately means you where using the most current time stamp to track auth information from the prior two authorizations. I am not surprised that they are no longer lining up with the method I provided you as with my query you are comparing the auth event on the current event with the auth event on the prior event. If you really want it to be like the original query, I can modify the query, but I'm pretty sure that was not your goal when you originally wrote it.

I didn't realize that mvindex started at 0. That'll definitely make a difference in the delta between your wuery and mine. You are correct, going for the second and third entries was not my intent. I'll validate things when I have a chance and Mark the answer appropriately

If you have time, do you mind going through an example where you would expect results and it did not return the expected results? If you could copy/paste a small example base with it being fuzzed a bit for any secure information I could write a run anywhere example using that data to see why it didn't work as expected.