Hi @moogmusic, this seems to be an issue with streamstats portion of the search (good catch by the way; thanks!). Adding global=false to streamstats should show your missing user. The search will look like this: | tstats summariesonly=true allow_old_summaries=true values(Authentication.app) as app from datamodel=Authentication.Authentication where Authentication.action=success by Authentication.user, Authentication.src _time span=1s | rename "Authentication.*" as "*" | eventstats dc(src) as src_count by user | search src_count>1 | sort 0 + _time | iplocation src | where isnotnull(lat) AND isnotnull(lon) | streamstats window=2 global=false earliest(lat) as prev_lat, earliest(lon) as prev_lon, earliest(_time) as prev_time, earliest(src) as prev_src, earliest(City) as prev_city, earliest(Country) as prev_country, earliest(app) as prev_app by user | where (src != prev_src) | eval lat1_r=((lat * 3.14159265358) / 180), lat2_r=((prev_lat * 3.14159265358) / 180), delta=(((prev_lon - lon) * 3.14159265358) / 180), distance=(3959 * acos(((sin(lat1_r) * sin(lat2_r)) + ((cos(lat1_r) * cos(lat2_r)) * cos(delta))))), distance=round(distance,2) | fields - lat1_r, lat2_r, long1_r, long2_r, delta | eval time_diff=if(((_time - prev_time) == 0),1,(_time - prev_time)), speed=round(((distance * 3600) / time_diff),2) | where (speed > 500) | eval prev_time=strftime(prev_time,"%Y-%m-%d %H:%M:%S") | table user, src, _time, City, Country, app, prev_src, prev_time, prev_city, prev_country, prev_app, distance, speed This fix will go into the next InfoSec app update.
... View more