That doesn't return anything, I really need to focus on "A User" not just everything. I ran this, and it returned nothing for the account but then when I try against my user account it does return data. The account wmsadmin is indeed an actual user account that is disabled and the "lastLogonTimestamp" has a value or date of 9/20/2011. index=wineventlog sourcetype=WinEventLog:Security (EventCode=4624 OR EventCode=4634 "wmsadmin") | eval day=strftime(_time,"%d/%m/%Y") | stats earliest(_time) AS earliest latest(_time) AS latest by user host day | eval earliest=strftime(earliest,"%d/%m/%Y %H.%M.%S"), latest=strftime(latest,"%d/%m/%Y %H.%M.%S")
... View more