https://community.splunk.com/t5/Getting-Data-In/First-appears-to-be-broken-on-my-search/m-p/32375#M5753 <P>I have a search tracking users logging into our juniper vpn</P> <P>sourcetype="SSLVPN" Action="- Login succeeded" |eval Username=lower(Username) | stats sparkline first(LoginTime) as LastLogin count by Username | sort -count | head 10</P> <P>Everything works perfect when it is set to last 24 hours but when I change the timeline to 30 days (the default) the first value of LastLogin is wrong on half the users, the count is correct but first is dropping off the last 24 hours worth of logins</P> <P>it is related to username=lower(Username) I am using this because users sign in as Jimmy.zio and jimmy.zio both work and I am aggregating the users into 1 </P> Tue, 13 Nov 2012 15:17:49 GMT Eastek5551 2012-11-13T15:17:49Z https://community.splunk.com/t5/Getting-Data-In/First-appears-to-be-broken-on-my-search/m-p/32375#M5753 <P>I have a search tracking users logging into our juniper vpn</P> <P>sourcetype="SSLVPN" Action="- Login succeeded" |eval Username=lower(Username) | stats sparkline first(LoginTime) as LastLogin count by Username | sort -count | head 10</P> <P>Everything works perfect when it is set to last 24 hours but when I change the timeline to 30 days (the default) the first value of LastLogin is wrong on half the users, the count is correct but first is dropping off the last 24 hours worth of logins</P> <P>it is related to username=lower(Username) I am using this because users sign in as Jimmy.zio and jimmy.zio both work and I am aggregating the users into 1 </P> Tue, 13 Nov 2012 15:17:49 GMT https://community.splunk.com/t5/Getting-Data-In/First-appears-to-be-broken-on-my-search/m-p/32375#M5753 Eastek5551 2012-11-13T15:17:49Z https://community.splunk.com/t5/Getting-Data-In/First-appears-to-be-broken-on-my-search/m-p/32376#M5754 <P>The first command returns the first value in the events list. So if the "first" event is 7 days ago, it will show that one. first and last are not chronological commands, they are based on the input order of the events. Instead, try this, which uses the <CODE>latest</CODE> command:</P> <P><CODE>sourcetype="SSLVPN" Action="- Login succeeded" |eval Username=lower(Username) | stats sparkline latest(LoginTime) as LastLogin count by Username | sort -count | head 10</CODE></P> <P><A href="http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Commonstatsfunctions">http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Commonstatsfunctions</A></P> Tue, 13 Nov 2012 15:30:39 GMT https://community.splunk.com/t5/Getting-Data-In/First-appears-to-be-broken-on-my-search/m-p/32376#M5754 alacercogitatus 2012-11-13T15:30:39Z https://community.splunk.com/t5/Getting-Data-In/First-appears-to-be-broken-on-my-search/m-p/32377#M5755 <P>Perfect thanks fixed my search</P> Tue, 13 Nov 2012 16:43:36 GMT https://community.splunk.com/t5/Getting-Data-In/First-appears-to-be-broken-on-my-search/m-p/32377#M5755 Eastek5551 2012-11-13T16:43:36Z https://community.splunk.com/t5/Getting-Data-In/First-appears-to-be-broken-on-my-search/m-p/32378#M5756 <P>Your welcome! please use the checkmark and mark accepted. Thanks!</P> Wed, 14 Nov 2012 13:55:39 GMT https://community.splunk.com/t5/Getting-Data-In/First-appears-to-be-broken-on-my-search/m-p/32378#M5756 alacercogitatus 2012-11-14T13:55:39Z