I did some digging at my end. Apparently, some issue with the search query itself. This query was working fine. The multireport is somehow now causing search to terminate. If I run the query in two parts as below, it is fine. index=oswinsec source="*WinEventLog:Security" action=success | stats count min(_time) as earliest max(_time) as latest by user | stats values(*) as * by user | lookup account_status_tracker user OUTPUT count as prior_count earliest as prior_earliest latest as prior_latest | where prior_latest < relative_time(now(), "-30d") | eval explanation="The last login from this user was " . (round( (earliest-prior_latest) / 3600/24, 2) ) . " days ago." | convert ctime(earliest) ctime(latest) ctime(prior_earliest) ctime(prior_latest) index=oswinsec source="*WinEventLog:Security" action=success | inputlookup append=t account_status_tracker | stats min(earliest) as earliest max(latest) as latest sum(count) as count by user | outputlookup account_status_tracker
... View more