Thanks @gcusello for your help. I have used your last query and it is giving below results Id dc_sourcetype Name User 366 2 FiredrillAgent_2.2.445 userB 425 2 TeamViewer-15_9_4-V1 userA We have 1 more requirement. we have Enabled=0 and Enabled=1 in the last line of 2nd search events, we need to check if Enabled = 0 it should mention as Unpublish and if enabled=1 it should mention as Publish (please check sample table below) In sourcetype=sql_appv_packageversion, we have events like below. WHich has Enabled=0 or 1 in last time 2020-11-12 17:58:00.062, Id="323", PackageGuid="*", Name="ApacheMaven-363", VersionGuid="*", VersionNumber="0.0.0.1", Size="0", PackageUrl="\*", UserPolicyFromManifest="<UserConfiguration xmlns:xsd="*" xmlns:xsi="h*" PackageId="*" DisplayName="(App-V Default)" xmlns="*"> </DeploymentConfiguration>", SequencerArchitecture="x64", Enabled="0", TimeAdded="2020-11-03 13:36:46.090", TimeChanged="2020-11-04 23:00:17.193", TimeEnabled="2020-11-03 13:55:24.209" Sample table: Id dc_sourcetype Name User Action 366 2 FiredrillAgent_2.2.445 userB Publish 425 2 TeamViewer-15_9_4-V1 userA Unpublish
... View more