I have list of lookup list yyyy which I want to shown the latest login based on max login time and also user that did not login.
How to reconstruct the query to allow to show both in one table?
index=main sourcetype=xxxx [inputlookup yyyy |fields account_name|rename account_name as query] |search ACTION_NAME=LOGON RETURNCODE=0| stats max(_time) as login_time by user,source| eval login_time=strftime(login_time,"%Y/%m/%d %H:%M:%S")| table user,source,login_time
↧