Re: First Day of Login / Last Day of Login in a mo...

karambaz · ‎07-01-2013

Here is the scenario:

We want to know the first day of login and the last day of login in a month for a particular user.

Please help me.

asimagu · ‎07-02-2013

stats first(_time) last(_time) count(eventid) by eventid,snarehost,access,username

note that in Splunk, first is last and last is first

if you have the date of login extracted in a field, use that field instead of _time

MHibbin · ‎07-02-2013

... pastebin?

karambaz · ‎07-02-2013

yes sir..im unable to upload the excel outcome. Can you give ur email add so i can email to you the excel sheets. In order to be more clearer.

Thanks

jtworzydlo · ‎07-02-2013

If I understand properly, the excel file is your outcome, and what form has the input?
To find first/last occurrence of something I would use streamstats with first()/last() function.

karambaz · ‎07-02-2013

Hi in the excel sheet there will be 4 column which will be Event ID, First Day of Login, Last Day of Login, User ID and Number of Events,

I manage to create the Event ID, User and Number of Events by using stats count by eventid,snarehost, access, username,

BUT I'm unable to include the First Time of login and the last login during the month query.

Hope you have a clear view on this. Thanks

jtworzydlo · ‎07-02-2013

Could you provide some more data? Maybe some example log data to work on?

First Day of Login / Last Day of Login in a month

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?