I had set the last search command criteria wrong.
I had set it to "| search (EventCode=4625 count>6) OR (EventCode!=4625 count>2)" but looking back at your original post, your second search was filtering with "| where count>1".
I've updated my response to change it to " "| search (EventCode=4625 count>6) OR (EventCode!=4625 count>1)"
If you still don't get results, simplify the search to look for what isn't there to see if you can find out why. To test, remove the 4625 event criteria from the base search, and remove the filter looking for count>1 and see if you get anything:
index="..........." AND sourcetype=".........." AND tag=pci AND user!=null NOT (tag=..........) (EventCode=4720 OR EventCode=4722 OR EventCode=4738) NOT [| inputlookup PCI_service_accounts_list.csv | rename service_accounts as user]
| fillnull value="N/A" user, dvc_owner, dvc_bunit, dvc_ip, subject, dvc
| bin _time span=1hr as HourDay
| eval hourDay=strftime(HourDay,"%m-%d-%y %H:%M:%S")
| stats count last(hourDay) as timestamp by user, HourDay, EventCode, Account_Domain, Account_Name, dvc_owner,dvc_bunit,dvc_ip, subject, dvc
If you do see the kind of results you expect then add the count>1 back in:
index="..........." AND sourcetype=".........." AND tag=pci AND user!=null NOT (tag=..........) (EventCode=4720 OR EventCode=4722 OR EventCode=4738) NOT [| inputlookup PCI_service_accounts_list.csv | rename service_accounts as user]
| fillnull value="N/A" user, dvc_owner, dvc_bunit, dvc_ip, subject, dvc
| bin _time span=1hr as HourDay
| eval hourDay=strftime(HourDay,"%m-%d-%y %H:%M:%S")
| stats count last(hourDay) as timestamp by user, HourDay, EventCode, Account_Domain, Account_Name, dvc_owner,dvc_bunit,dvc_ip, subject, dvc
| search count>1
and if that works, then the (updated) full search I provided should work.
... View more