To find the user first time login in PCI compilance - what is the SPL query ?
I am using the query as below :
| from inputlookup:access_tracker | stats min(firstTime) as firstTime,values(dest) as dest by user | sort 100 - firstTime | uitime(firstTime) | fields dest user firstTime
