the below search is what I have working now to see what users are not in the first event code.
index="wineventlog" EventCode="4723" status=success | regex src_user="(\b\d{5}ss\b)|([N]\d{6}ss)|(\b\d{5})|([N]\d{6})" | stats count by user | table user| map search="search index="wineventlog" EventCode="4724" NOT user=$user$ status=success" | regex src_user="(\b\d{5}ss\b)|([N]\d{6}ss)" |dedup _time| table _time, src_user, user,msad_action,status, ComputerName| rename src_user as "Admin Account", user as "ICFI Account", msad_action as "Action", status as "Result", ComputerName as "Domain Controller" | sort "Admin Account"
is there any way to speed this up it is taking a long time.
It's slow because you're using a sub-search to iterate through a list of users and comparing them to what you have indexed. You need to re-write the search to exclude the map command and search two indexes and compare from index one to index two via stats