We have a use case where we need to have an alert emailed if a user (under the field User) does not have an event of Activity="logged on" within the past 90 days within a specific sourcetype.
We have tried index=index sourcetype=sourcetype Activity="logged on" | chart count over Activity by User limit=0
But we can't seem to be able to filter to only specify a count of 0 over the past 90 days
Any ideas or leads as to what would get us in the right direction?
... View more