hello I am trying to write a query for Successful dormant user logins
whereas the user has successfully logged in today but in last 30 days there was no activity done by this same user.
Here is my query - (which needs refinement)
index=wineventlog EventCode=4624 user!="*$" earliest= @d latest = now()| transaction user [search EventCode!=4624 user!="*$" earliest=-2d latest=@d] | table _time, user
if anyone can help in getting this refined and do what is needed, that would be great help.
↧