At present the search is look at events under 12 months and I want it to look for events after 12 months. So anything I put before the brackets, i.e greater than > ("12mo","1") comes up with a error message For example: | `inactive_account_usage| where count =>12mo ("12mo","1")` | `ctime(lastTime)` | fields + user,tag,inactiveDays,lastTime Error message says: Error in 'SearchParser': The name 'inactive_account_usage|where count =>12mo ' is invalid. Macro and argument names might only include alphanumerics, '_' and '-'. When expanding the string I get: | inputlookup append=T access_tracker where lastTime_user>=1659530054.000000 | stats min(firstTime) as firstTime,values(second2lastTime) as second2lastTime,values(lastTime) as lastTime_vals,max(lastTime) as lastTime by user | eval "second2lastTime"=mvdedup(mvappend('second2lastTime',NULL,'lastTime_vals')),"second2lastTime"=if(mvcount('lastTime')=1 AND mvcount('second2lastTime')>1 AND 'second2lastTime'='lastTime',split(ltrim(replace("|".mvjoin('second2lastTime',"|"),"\|".'lastTime',""),"|"), "|"),'second2lastTime'),"second2lastTime"=max('second2lastTime'),inactiveDays=round((lastTime-second2lastTime)/86400,2),_time=lastTime | search inactiveDays>=12mo | lookup update=true identity_lookup_expanded identity as user OUTPUTNEW _key as user_identity_id,bunit as user_bunit,category as user_category,email as user_email,endDate as user_endDate,first as user_first,identity as user_identity,identity_tag as user_identity_tag,jobTitle as user_jobTitle,last as user_last,managedBy as user_managedBy,nick as user_nick,phone as user_phone,prefix as user_prefix,priority as user_priority,startDate as user_startDate,suffix as user_suffix,userPrincipalName as user_userPrincipalName,watchlist as user_watchlist,work_city as user_work_city,work_country as user_work_country,work_lat as user_work_lat,work_long as user_work_long | lookup identity_lookup_default_fields key as user OUTPUTNEW watchlist as user_watchlist | eval "tag"=mvdedup(mvappend('tag',NULL,'user_identity_tag')),"user_startDate"=case(isnum('user_startDate'),'user_startDate',isnum(strptime('user_startDate',"%m/%d/%Y %H:%M")),strptime('user_startDate',"%m/%d/%Y %H:%M"),isnum(strptime('user_startDate',"%m/%d/%y %H:%M")),strptime('user_startDate',"%m/%d/%y %H:%M"),1=1,'user_startDate'),"user_endDate"=case(isnum('user_endDate'),'user_endDate',isnum(strptime('user_endDate',"%m/%d/%Y %H:%M")),strptime('user_endDate',"%m/%d/%Y %H:%M"),isnum(strptime('user_endDate',"%m/%d/%y %H:%M")),strptime('user_endDate',"%m/%d/%y %H:%M"),1=1,'user_endDate') | convert timeformat="%m/%d/%Y %H:%M:%S" ctime(lastTime) | fields + user,tag,inactiveDays,lastTime
... View more