@malix_la_harpe  Many thanks for all advises. I've modified the query and added dedup - solution and seems to be working well. However what you proposed does the job as well. I really appreciate time which you spend helping me! | makeresults | eval event_id=1000, username="test", Computer="xx1", _time=strptime("2025-06-30 16:26:27.01", "%Y-%m-%d %H:%M:%S.%N"), resource="example1" | append [| makeresults | eval event_id=1000, username="test", Computer="xx2", _time=strptime("2025-06-30 16:26:27.02", "%Y-%m-%d %H:%M:%S.%N"), resource="example2"] | append [| makeresults | eval event_id=1001, username="test", _time=strptime("2025-06-30 16:26:27.03", "%Y-%m-%d %H:%M:%S.%N"), resource="example3"] | append [| makeresults | eval event_id=1000, username="truc", Computer="yyy", _time=strptime("2025-06-30 16:26:29", "%Y-%m-%d %H:%M:%S"), resource="example2"] | append [| makeresults | eval event_id=1001, username="truc", Computer="yyy", _time=strptime("2025-06-30 16:26:32", "%Y-%m-%d %H:%M:%S"), resource="example3"] | sort _time | streamstats time_window=1s values(_time) as Time values(Computer) as Computer_name values(event_id) AS EventID, last(eval(if(event_id=1000,event_id,null()))) AS previous_event_id, count(eval(event_id)) as EventCount, last(eval(if(event_id=1000,_time,null()))) AS previous_time by username | dedup previous_time username sortby EventCount desc | eval status = if(EventCount>1,"SUCCESS","FAILURE") | table Time Computer_name EventID username resource status | sort Time ... View more

Hi @malix_la_harpe  Again, many thanks for your help. Unfortunately adding  a "| search event_id=1001" won't resolve the issue as it will show only successful logins. I'm looking for query which will show also failure logins which are determined as follow: 1. If there is evenr_id 1000 and there is no following event_id 1001 in 1s for the same username - the login is FAILURE 2. If there is evenr_id 1000 and there is following event_id 1001 in 1s for the same username - the login is SUCESS And the query doesn't take into account condition in second point as  it displays FAILURE even there is following event_if 1001 in 1s for the same user name. In other words the FAILURE part doesn't work. I hope I've explained this clearly. ... View more

Hi @malix_la_harpe  Many thanks for this comprehensive answer. I've been testing the query and it gives promising results, however I have one issue and I hope you will be able to help me. In the results table there shouldn't be example2 row with FAILURE result as this is a begin of login process successfully completed in example3 row. In other words, the row example2 should be removed from the table. I've tried to adjust the query but unfortunately wasn't able and I hope you will be able to help me. I hope I explained the problem clearly - if not, please let me know.     ... View more

Thank you! ... View more

Thank you, Giuseppe! ... View more

Hi Giuseppe Many thanks for your reply. So should I update it once a year? If so, should I install the latest possible version or use something like N-1? How do you do this in your environment? We have Splunk Cloud version.   ... View more

This is exactly what I'm looking for. Many thanks for your help! ... View more

I believe it doesn't show correct results. I mean, sometimes it shows one event in count for source IP, I presume should be min 5. Or I missed something? ... View more