I have a query which shows the details of Users and VPN host which they are connected.For suppose if a user has connected to vpn_bom in the 24 hours I don't want to see his details in the results.I want to display the results of all the users who haven't connected to vpn_bom in the last 24hrs at least once.

Thank you for the help as always.

These are the results im getting when i execute the above query , but I don't want to display chrispar details as he has connected to vpn_bom at least once.

I want only those people who have not connected to vpn_bom and connected to other vpns(sbala,jeffp in thi case)

Results:

Query:

index=vpn  Cisco_ASA_message_id=722051 OR Cisco_ASA_message_id=113019 NOT "AnyConnect-Parent"
| transaction user endswith="Duration:" keepevicted=true
| eval full_duration = duration_hour."h".duration_minute."m".duration_second."s"
| eval bytesMB=round(((bytes/1024)/1024),2), bytes_inMB=round(((bytes_in/1024)/1024),2), bytes_outMB=round(((bytes_out/1024)/1024),2)
| eval Start_time=strftime(_time,"%Y/%m/%d %H:%M:%S"), End_time=(strftime(_time + duration,"%Y/%m/%d %H:%M:%S")), Total_time=if(isnull(full_duration), Start_time." --> current session",Start_time." --> ".End_time)
| mvexpand src
| iplocation src | eval LocationIP=City.", ".Country
| stats values(host) as vpn_host values(Total_time) as "Session Time" values(src) as "PublicIP" values(LocationIP) as LocationIP values(assigned_ip) as "Assigned IP" values(reason) as "Termination Reason" values(bytesMB) as bytesMB values(bytes_inMB) as bytes_inMB values(bytes_outMB) as bytes_outMB values(full_duration) as Duration by _time, user|rename LocationIP as User_Location |eval temp=split(User_Location,",") | eval User_Country=mvindex(temp,1)| fields - temp
|rename user as User vpn_host as Target_VPN| table User User_Country Target_VPN |search User_Country=*India*