I'm looking into a way to discover following scenario in my ingested logs: some user logged out and didn't log back in the next 1h
I assume in this case I should look in my search for a logout event, and use a subsearch to look for a subsequent login event related to same user within 1h
Eventually I would use the search in Enterprise Security (correlation search) triggering when the second event didn't happen within an hour.
Please let me know if you have any tip on how I should approach this.
I don't understand the value of your use case, but this will show you:
index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=AndSourcetypeToo AND (<Login match details here> OR <Logout match details here>)
| streamstats count(eval(searchmatch(<Login match details here>))) AS sessionID BY user
| stats range(_time) AS duration count max(_time) AS _time BY sessionID user
| where count==1 OR (duration > (60*60))