ahh, why do you use stats in between ? It removes the UserAuthenticationQuery field from the results.

@renjith_nair 

So I should remove it? If I do, it doesn't change anything I still get 2,730 results. I grabbed this from you on the first page you mentioned:

@Bassik,

As you said , it might not be accurate. However, if you want to get the app list for a user with time as a common factor (seconds' precision) , try this

"your search"
|eval timeIdentifier=strftime(_time,"%Y-%m-%d-%H-%M-%S")
|stats values(a_app)  as appList by timeIdentifier,cs_username

appList should have the list of apps. We converted time to string just to make sure that we take until seconds precision. You may user _time directly as well

@Bassik,

that was for that specific solution.

Try the latest search please without the stats. Also have a look at the search's construction to understand how it works. That will help you to troubleshoot

@renjith_nair 

Thanks again, yes I did remove it as mentioned. It didn't resolve anything other then list all events and not in a table format. 

I have looked many times at the search construction and tried many things... I get what I want but do not understand the logic on how to link the two time events to no another.

post your current search and sample events

@renjith_nair 

Hi sorry for the delay. I have worked out an alternative to my search. I have another question. Is there a way to dedup a field by another event?

I seem to being getting my results but when I dedup username, it just randomly selects an event and lists that in my stats. I want to only dedup the username based on UserAuthenticationQuery event?

Thanks

As mentioned this is the closest I have:

But it includes every event at those timestamps. I only want the timestamp in which a_action = UserAuthenticationQuery. if I include UserAuthenticationQuery  in search then it drops off all events. I don't know why it still doesn't append the multiple app values under appList field?