bowesmana' Thank you for your response. I am new to Splunk. I do not understand all the code you provided. My next question is how do I incorporate the actual search using your code. Here is the search: index="winlogs" host=* source="WinEventLog:Security" Eventcode=4624 Logon_Type=2 OR Logon_Type=7 NOT dest_nt_domain="Window Manager" NOT dest_nt_domain="Font Driver Host" | sort_time | convert ctime(_time) as timestamp | table, timestamp,EventCode,Logon_Type,Account_Name,RecordNumber,status
... View more