I found the solution. I had to replace line: | reverse with: | sort src_ip _time So that streamstats resets the counter each time the action is "success" for each src_ip. Working code: index=main sourcetype="wineventlog" EventCode IN (4624,4625) Logon_Type IN (2,3,8,10,11) | eval action=if(match(Keywords,"Audit Failure"),"failed","success") | sort src_ip _time | streamstats window=0 current=true reset_after="("action==\"success\"")" count as failure_count by src_ip | where action="success" and failure_count > 20 | table _time, user, src_ip, action, failure_count   ... View more

Found a way to solve this by doing several manipulations of the _time. When I get the value of $row._time$ it returns the time in string format with the correct timezone GMT -5. I then removed the trailing data that I didn't need. <eval token="strip_time">replace(replace($row._time$,"-05:00",""),"T"," ")</eval> <eval token="strip_time1">mvindex(split($strip_time$,":"),0)</eval> <eval token="strip_time2">mvindex(split($strip_time$,":"),1)</eval> <eval token="converted_time">$strip_time1$+":"+$strip_time2$</eval> There's probably a better way to do this but this worked for me. ... View more