I'm new at creating Splunk searches and events. I would like a Notable Event to alert whenever an employee login is detected on the network and the VPN at the same time. I read that this can be done with a sub-search, but I'm having trouble creating the search query. Any suggestions would be greatly appreciated.
If you can post non-confidential samples of searches that return a LAN logon, and a VPN logon, we can get closer, but here's a version in pseudocode...
( index=fooLAN sourcetype=LANsource "whatever other stuff that shows LAN logons") OR
( index=fooVPN sourcetype=VPNsource "whatever other stuff that shows VPN logons")
| bin _time as mytime span=10m
| eval userid=coalesce(LANUseridField,VPNUseridField)
| eval mytype=if(sourcetype=LANsource,"LAN","VPN")
| stats range(_time) as timerange, min(_time) as startTime, max(_time) as endTime values(mytype) as mytype by mytime userid
| where (mvcount(mytype) >1)