I have this search. My problem is that the result only results in seven days. If I do only the first part, before the Union, the result is correct, but when I execute the two searches, the results are not correct.
earliest=-15d@d latest=now index=wineventlog (EventCode="4624")
|regex Account_Name!=".*\$"
|eval Day=strftime(_time,"%d/%m/%Y")
|eval User=mvindex(Account_Name,1)
|eval Time=strftime(_time,"%d/%m/%Y %H.%M.%S")
|stats earliest(Time) as PrimerLogin by User,host,Day
|eval desde=strptime(PrimerLogin,"%d/%m/%Y %H.%M.%S")
|join User,host,Day
[search earliest=-15d@d latest=now index=wineventlog (EventCode="4634")
|regex Account_Name!=".*\$"
|eval Day=strftime(_time,"%d/%m/%Y")
|eval User=Account_Name
|eval Time=strftime(_time,"%d/%m/%Y %H.%M.%S")
|stats latest(Time) as UltimoLogoff by User,host,Day
|eval hasta= strptime(UltimoLogoff,"%d/%m/%Y %H.%M.%S")
]
|eval segundos_usados=hasta-desde
|eval diff=if(0>segundos_usados,"Usuario No Deslogeado",tostring(floor((segundos_usados)/(3600))) + "hs" + tostring(floor((segundos_usados)/(60))%60) + "min" )
|stats values(PrimerLogin) as Login,values(UltimoLogoff) as Logoff,values(diff) as Duration by User,host,Day
... View more