Regarding the 0 results, this is my current query: index= useractivitylogs
[search
index=wineventlog EventCode=4725 earliest=-1h latest=now
| eval timestamp=strftime(_time, "%Y-%m-%dT%H:%M"%S")
| stats count as count by username
| where count=1
fields username ] Without inputting any table or running any stats on it, it shows up as 0. Even if i were to change my index to the same as the subsearch index, it is still 0 results. Currently, the subsearch results will list a column of many different usernames. I am trying to troubleshoot as to why running the subsearch results in 0. Will appreciate your help. Thank you
... View more