Thank you this is also a very nice way of listing anomalities, it does lists all (non anomalities) off-duty lines aswell, but it can be fixed by adding this the end:
|where action="view" OR action="write"
This works very nicely to find anomalities, also if you want to count all anomalities instead of transactions and a way to find even a anomality line that happends when user has logout and has not yet login again.
... View more