Hi @chimuru84 , sorry, I ,isunderstood yur requirement! let me understand: you want to know the users connected to a third party authentication in the last hour that didn't do another connection i...
See more...
Hi @chimuru84 , sorry, I ,isunderstood yur requirement! let me understand: you want to know the users connected to a third party authentication in the last hour that didn't do another connection in the last year but they did before, is it correct? at first: how long do you want to run your check: two years? Then, when you say "authentication at the moment", are you meaning in the last hour or what else? With the above hypotesis So, please try this: index=...... earliest=-2y latest=-h [ search index=...... earliest=-h latest=now | dedup id | fields id ]
| eval period=if(_time>now()-31536000, "last Year","Previous Year")
| stats
dc(Period) AS Period_count
values(Period) AS Period
BY id
| where Period_count=1 AND Period!="Previous Year"
| table id In ths way, you have yje users connected in the last hour that did the last connection (except the last hour) more than one year. If you need a different condition, you can use my approach. Ciao. Giuseppe