The venerable old-skool Splunk forums are now closed. Feel free to search for old content here, but new posts are no longer supported.
Instead, please visit the thriving community at answers.splunk.com to ask and answer questions about your Splunk deployment and how to get the most out of it.
Previous Topic: reload configuration | Next Topic: Cisco Ironport Web
Posts 1–3 of 3
I am relatively new to Splunk and need help with the search lingo. What I want to do is return results from a Windows Security Event log that shows me a list of usernames, the number of logins, and the last time they logged in. I got the first part (list of usernames and number of logins) with:
host="HOST" | stats count by Account_Name | sort -count
but how can I also list the date of the latest entry?
Thanks.
Kevin
host="HOST" | stats count, first(_time) by Account_Name
"first" will give you the first encountered time for each Account_Name, and since Splunk returns in reverse time order, that will be most recent.
Actually, you probably want to make it
host="HOST" | stats count, first(_time) as _time by Account_Name
so that the UI displays the time in a human readable format. (It automatically reformats a field named "_time", otherwise you can do it yourself using the "convert" or "eval" functions.)