@hok2010
Can you please try this?
index=main sourcetype="wineventlog:security" (EventCode=4625 OR EventCode=4672 )
| eval Account_Name=mvindex(Account_Name,1)
| search Account_Name!=$
| table _time EventCode Account_Name
| stats latest(eval(if(EventCode=="4625",_time,NULL))) as _time count(eval(EventCode="4625")) as EventCode_4625 count(eval(EventCode="4672")) as EventCode_4672 by Account_Name | where EventCode_4625=1 AND EventCode_4672=1
| table _time EventCode_* Account_Name
My Sample Seach:
| makeresults
| eval EventCode=4625,Account_Name="AAA"
| append
[| makeresults
| eval EventCode=4625,Account_Name="BBB"]
| append
[| makeresults
| eval EventCode=4672,Account_Name="BBB"]
| search (EventCode=4625 OR EventCode=4672 )
| stats latest(eval(if(EventCode=="4625",_time,NULL))) as _time count(eval(EventCode="4625")) as EventCode_4625 count(eval(EventCode="4672")) as EventCode_4672 by Account_Name | where EventCode_4625=1 AND EventCode_4672=1
| table _time EventCode_* Account_Name
Thanks
... View more