topic Creating a detailed table to investigate user account logging into several servers in Splunk Search https://community.splunk.com/t5/Splunk-Search/Creating-a-detailed-table-to-investigate-user-account-logging/m-p/502394#M139854 <P>Hello,</P> <P>I'm attempting to build a detailed table complete with timestamp, account name, eventcode, and host. We found that there is an account logging into various servers over a period of 48 hours, but I'm having difficulty creating a proper query. The only column that is filled out is host. Here is what I attempted:</P> <P>index="index" Account_Name="account" EventCode="event code" | stats count BY host | eval timestamp=strftime(_time, "%B %d, %D:%M:%S %p") | table timestamp Account_Name host eventcode</P> <P>Thank you for any help the community can provide.</P> Wed, 30 Sep 2020 03:16:58 GMT rcastello 2020-09-30T03:16:58Z Creating a detailed table to investigate user account logging into several servers https://community.splunk.com/t5/Splunk-Search/Creating-a-detailed-table-to-investigate-user-account-logging/m-p/502394#M139854 <P>Hello,</P> <P>I'm attempting to build a detailed table complete with timestamp, account name, eventcode, and host. We found that there is an account logging into various servers over a period of 48 hours, but I'm having difficulty creating a proper query. The only column that is filled out is host. Here is what I attempted:</P> <P>index="index" Account_Name="account" EventCode="event code" | stats count BY host | eval timestamp=strftime(_time, "%B %d, %D:%M:%S %p") | table timestamp Account_Name host eventcode</P> <P>Thank you for any help the community can provide.</P> Wed, 30 Sep 2020 03:16:58 GMT https://community.splunk.com/t5/Splunk-Search/Creating-a-detailed-table-to-investigate-user-account-logging/m-p/502394#M139854 rcastello 2020-09-30T03:16:58Z Re: Creating a detailed table to investigate user account logging into several servers https://community.splunk.com/t5/Splunk-Search/Creating-a-detailed-table-to-investigate-user-account-logging/m-p/502395#M139855 <PRE><CODE>index="index" Account_Name="account" EventCode="event code" | stats count last(_time) as _time by Account_Name host EventCode | eval timestamp=strftime(_time, "%B %d, %H:%M:%S %p") | table timestamp Account_Name host EventCode </CODE></PRE> <P>Hi, @rcastello<BR /> Is this result what you want to know?</P> Sat, 07 Dec 2019 08:49:48 GMT https://community.splunk.com/t5/Splunk-Search/Creating-a-detailed-table-to-investigate-user-account-logging/m-p/502395#M139855 to4kawa 2019-12-07T08:49:48Z