@hok2010

Can you please try this?

index=main sourcetype="wineventlog:security" (EventCode=4625 OR EventCode=4672 ) 
| eval Account_Name=mvindex(Account_Name,1) 
| search Account_Name!=$ 
| table _time EventCode Account_Name 
| stats latest(eval(if(EventCode=="4625",_time,NULL))) as _time count(eval(EventCode="4625")) as EventCode_4625 count(eval(EventCode="4672")) as EventCode_4672 by Account_Name  | where EventCode_4625=1 AND EventCode_4672=1
| table _time EventCode_* Account_Name

My Sample Seach:

| makeresults 
| eval EventCode=4625,Account_Name="AAA" 
| append 
    [| makeresults 
    | eval EventCode=4625,Account_Name="BBB"] 
| append 
    [| makeresults 
    | eval EventCode=4672,Account_Name="BBB"] 
| search (EventCode=4625 OR EventCode=4672 ) 
| stats latest(eval(if(EventCode=="4625",_time,NULL))) as _time count(eval(EventCode="4625")) as EventCode_4625 count(eval(EventCode="4672")) as EventCode_4672 by Account_Name  | where EventCode_4625=1 AND EventCode_4672=1
| table _time EventCode_* Account_Name

Thanks