I have a search tracking users logging into our juniper vpn
sourcetype="SSLVPN" Action="- Login succeeded" |eval Username=lower(Username) | stats sparkline first(LoginTime) as LastLogin count by Username | sort -count | head 10
Everything works perfect when it is set to last 24 hours but when I change the timeline to 30 days (the default) the first value of LastLogin is wrong on half the users, the count is correct but first is dropping off the last 24 hours worth of logins
it is related to username=lower(Username) I am using this because users sign in as Jimmy.zio and jimmy.zio both work and I am aggregating the users into 1
... View more