Hi,

My query:
index=ph_windows_sec sourcetype=XmlWinEventLog (EventCode=630 OR EventCode=4726 OR EventCode=624 OR EventCode=4720) earliest=-14d | stats values(TargetUserName) as TargetUserName ,values(signature) as Message, count by Caller_User_Name | eval status=case(EventCode=630, \"Account%20Deletion\", EventCode=4726, \"Account%20Deletion\", EventCode=624, \"Account%20Creation\", EventCode=4720, \"Account%20Creation\") | transaction user startswith=status=\"Account%20Creation\" endswith=status=\"Account%20Deletion\" maxevents=2 | where duration < 3600

When I add "Stats values", the query isn't found any hit.

When I delete "Stats values", the query returns with hits.

What is wrong with my query? 🙂

Thanks!