This is the query i m using:
query1:
sourcetype=tanium earliest=-24h query="User-Sessions-and-Boot-Time-Details-from-Windows" OR query="User-current-session-details-&-Last-Boot-Time---Mac-OSX-to-Splunk" Uptime="1 days" OR Uptime="Less than 1 day" NOT Last_Logged_In_User="*adm"| table Computer_Name Last_Logged_In_User OS_Boot_Time Last_Reboot| eval LastReboot = coalesce(OS_Boot_Time, Last_Reboot)| dedup LastReboot,Last_Logged_In_User| stats count by Computer_Name,Last_Logged_In_User | where count>2
i need a trend analysis for this query for last 30 days.
I also did this:
query2:
sourcetype=tanium query="User-Sessions-and-Boot-Time-Details-from-Windows" OR query="User-current-session-details-&-Last-Boot-Time---Mac-OSX-to-Splunk" NOT Last_Logged_In_User="*adm" | eval LastReboot = coalesce(OS_Boot_Time, Last_Reboot)| dedup LastReboot,Last_Logged_In_User| timechart span=1d count |eval day = strftime(_time,"%d %b %y , %a") |chart sum(count) by day
But, this gives me the entire number of events.
Can anyone help me how to add required condition from query1 to query2
... View more