Hi I have a report showing who have added or removed a person to or from a group. Like : index="win*" (EventCode=4728 OR EventCode=4729) | table _time, result, target_group, target_user, src_user This however returns from time to time a user called "XXXXX01, XXXXX02 Etc, which is a shared account in our PAM solution. I can find the user behind by searching: index="PAM" duser="XXXXX*" "cn2=(Action: Connect)" | table _time, duser, suser, command, reason How can i make the first search, then in case user = XXXXX01, search for the latest time XXXXX01 was used related to the time in the first search. At the moment we need to run the search side by side, and the find the correct time and check out of the XXXXX account, since the ie XXXXX01 can be checked out many times during a work day.
... View more