I'm not sure I understand exactly what you are trying to accomplish, but try this output.
index=* sourcetype=DORA_Login
| eval age_days=(now()-_time)/(60*60*24)
| eval IsOver180 = if(age_days>180,"Over 180","Under 180")
| eval User_Name=lower(User_Name) | dedup User_Name
| chart count OVER index BY IsOver180
And actually, as a test because it'll be SO much faster - try doing a search over the previous 7 days or week to date and instead of using "180" use, say, 1 or 3. This should do this week, looking for ones older than 3 days:
index=* sourcetype=DORA_Login earliest=-7d@d
| eval age_days=(now()-_time)/(60*60*24)
| eval IsOver180 = if(age_days>3,"Over 3","Under 3")
| eval User_Name=lower(User_Name) | dedup User_Name
| chart count OVER index BY IsOver180
Give that a go, see what you think.
Happy Splunking!
-Rich
... View more