I am trying to run a search where I want my data to be more than 12 months old.
However when I run this search, it brings up data between 2 days old and 12 months old.

Anyone got any ideas on where I am going wrong?

| inputlookup append=T access_tracker where lastTime_user>=1659602543.000000
| stats min(firstTime) as firstTime,values(second2lastTime) as second2lastTime,values(lastTime) as lastTime_vals,max(lastTime) as lastTime by user
| eval "second2lastTime"=mvdedup(mvappend('second2lastTime',NULL,'lastTime_vals')),"second2lastTime"=if(mvcount('lastTime')=1 AND mvcount('second2lastTime')>1 AND 'second2lastTime'='lastTime',split(ltrim(replace("|".mvjoin('second2lastTime',"|"),"\|".'lastTime',""),"|"), "|"),'second2lastTime'),"second2lastTime"=max('second2lastTime'),inactiveDays=round((lastTime-second2lastTime)/86400,2),_time=lastTime
| search inactiveDays>=12mo