I would try something like this:
index=ndx sourcetype=srctp user=* [| inputlookup my_list_of_10_hosts.csv ] earliest=0
| fields _time user host
| stats min(_time) as early max(_time) as recent by user host
| eval early_diff=now()-early
| where early_diff<604800
| eval early=strftime(early,"%c"), recent=strftime(recent,"%c")
This will go back through all your data (hence the earliest=0), and find all the user/host combos, noting the earliest and most-recent logins
Then calculate the difference in the early time from now(), making sure the first time you saw this combo was less than a week ago
from User warren – Stack Overflow https://stackoverflow.com/questions/76041726/splunk-query-for-rarity-without-ai/76044507#76044507
via IFTTT