thanks Morris, There was a difference in time stamp as well, I clubbed the output of both the queries to make sure it was accessed. Thanks for your valuable inputs.: So for others below are the two search queries for their reference, They may use any as per their suitability 🙂

Cheers, Gagandeep Arora
SearchQuery1:

index=_audit action=search info=granted  | eval _raw=search | eval _raw=mvindex(split(_raw,"|"),0) 
 | table _raw _time | extract | eval last_searched=strftime(_time, "%m/%d/%y %H:%M:%S") 
 | dedup index sourcetype | table index sourcetype last_searched

SearchQuery2:

 index=_audit action=search info=granted   | rex field=search "index=(?P[^ ]+)"  | rex field=search "sourcetype=(?P[^ ]+)"  | eval time=strftime(_time, "%m/%d/%y %H:%M:%S")  | rex field=search_index "\"(?P\w+)"  | rex field=search_sourcetype "\"(?P\w+)"  | stats max(time) as last_searched by search_index search_sourcetype  | sort -search_index -search_sourcetype

In my base search it is only looking where search_id has a value. That could be the difference. Try taking that out of my search to see if thats it. My search extracts the sourcetype and the index from the search field, which would account for the difference in what you are seeing for the sourcetype. Either way, I think you should be close to what you were looking for.

Thanks Morris, I clubbed the output from both the search queries.

Hello Morris, Can you please confirm on below

Thanks Morris, I also created a search for this:

index=_audit action=search info=granted  | eval _raw=search | eval _raw=mvindex(split(_raw,"|"),0) 
| table _raw _time | extract | eval time=strftime(_time, "%m/%d/%y %H:%M:%S") 
| dedup index sourcetype | table index sourcetype time

I can see difference in Search count and difference in output. Can you please check and confirm which query would suite best.

My prime motive is to compare sourcetype of this output with my excel for a time frame of 1 month.