https://community.splunk.com/t5/Splunk-Search/How-to-group-and-count-first-and-last-timestamp/m-p/524120#M147873 <P>Yes, it works fine! A summary for others:</P><LI-CODE lang="markup">host="xxxxxxx" | rex "time\":\"(?&lt;time&gt;[^\"]+)" | rex "fullname\":\"(?&lt;fullname&gt;[^\"]+)" | rex "confname\":\"(?&lt;confname&gt;[^\"]+)" | stats earliest(_time) as "Time Start" latest(_time) as "Time Stop" by fullname, confname | fieldformat "Time Start"=strftime('Time Start',"%Y-%m-%dT%H:%M:%S.%Q") | fieldformat "Time Stop"=strftime('Time Stop',"%Y-%m-%dT%H:%M:%S.%Q")</LI-CODE> Sun, 11 Oct 2020 19:57:46 GMT glm_cybaze 2020-10-11T19:57:46Z https://community.splunk.com/t5/Splunk-Search/How-to-group-and-count-first-and-last-timestamp/m-p/523899#M147807 <P>Hi to everyone,</P><P>I have some trouble on setting a correct output for a search query.</P><P>This is the start situation of the logs:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="splunk_screen_1.jpg" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/11228i97BDE7DA81C95A14/image-size/large?v=v2&amp;px=999" role="button" title="splunk_screen_1.jpg" alt="splunk_screen_1.jpg" /></span></P><P>&nbsp;I've created a regex for a cleaner situation:</P><P>&nbsp;</P><LI-CODE lang="markup">host="xxxxx" | rex "time\":\"(?&lt;time&gt;[^\"]+)" | rex "fullname\":\"(?&lt;fullname&gt;[^\"]+)" | rex "confname\":\"(?&lt;confname&gt;[^\"]+)" | table time, fullname, confname</LI-CODE><P>&nbsp;</P><P>So now i have this situation:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="splunk_screen_2.jpg" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/11229i52108BDA707271EC/image-size/large?v=v2&amp;px=999" role="button" title="splunk_screen_2.jpg" alt="splunk_screen_2.jpg" /></span></P><P>It's clear but i need a situation where i can see the first and last time a user login (the system logs timestamp for users as long as the user is logged)</P><P>something like: Time start | Time Stop | full name | confname<BR />Someone has a some suggestions?</P><P>p.s.<BR />For helping others people in my situation, this is the logs of Big Blue Button software</P> Fri, 09 Oct 2020 12:04:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-group-and-count-first-and-last-timestamp/m-p/523899#M147807 glm_cybaze 2020-10-09T12:04:02Z https://community.splunk.com/t5/Splunk-Search/How-to-group-and-count-first-and-last-timestamp/m-p/523926#M147821 <LI-CODE lang="markup">| stats earliest(_time) as "Time Start" latest(_time) as "Time Stop" by fullname, confname </LI-CODE> Fri, 09 Oct 2020 13:41:21 GMT https://community.splunk.com/t5/Splunk-Search/How-to-group-and-count-first-and-last-timestamp/m-p/523926#M147821 ITWhisperer 2020-10-09T13:41:21Z https://community.splunk.com/t5/Splunk-Search/How-to-group-and-count-first-and-last-timestamp/m-p/524101#M147866 <P>Hi tanks,</P><P>I replaced the string</P><LI-CODE lang="markup">| table time_first, time_last, fullname, confname</LI-CODE><P>With</P><LI-CODE lang="markup">| stats earliest(_time) as "Time Start" latest(_time) as "Time Stop" by fullname, confname </LI-CODE><P>Result is:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="splunk_screen_3.jpg" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/11239i19628880EE51F330/image-size/large?v=v2&amp;px=999" role="button" title="splunk_screen_3.jpg" alt="splunk_screen_3.jpg" /></span></P><P>I think because the timestamp is: 2020-10-10T12:14:06.969Z<BR />any suggestion?</P> Sun, 11 Oct 2020 16:55:18 GMT https://community.splunk.com/t5/Splunk-Search/How-to-group-and-count-first-and-last-timestamp/m-p/524101#M147866 glm_cybaze 2020-10-11T16:55:18Z https://community.splunk.com/t5/Splunk-Search/How-to-group-and-count-first-and-last-timestamp/m-p/524107#M147868 <P>Is it that you want the timestamps displayed as date time?</P><LI-CODE lang="markup">| fieldformat 'Time Start'=strftime('Time Start',"%Y-%m-%dT%H:%M:%S.%Q") | fieldformat 'Time Stop'=strftime('Time Stop',"%Y-%m-%dT%H:%M:%S.%Q")</LI-CODE> Sun, 11 Oct 2020 17:32:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-group-and-count-first-and-last-timestamp/m-p/524107#M147868 ITWhisperer 2020-10-11T17:32:26Z https://community.splunk.com/t5/Splunk-Search/How-to-group-and-count-first-and-last-timestamp/m-p/524120#M147873 <P>Yes, it works fine! A summary for others:</P><LI-CODE lang="markup">host="xxxxxxx" | rex "time\":\"(?&lt;time&gt;[^\"]+)" | rex "fullname\":\"(?&lt;fullname&gt;[^\"]+)" | rex "confname\":\"(?&lt;confname&gt;[^\"]+)" | stats earliest(_time) as "Time Start" latest(_time) as "Time Stop" by fullname, confname | fieldformat "Time Start"=strftime('Time Start',"%Y-%m-%dT%H:%M:%S.%Q") | fieldformat "Time Stop"=strftime('Time Stop',"%Y-%m-%dT%H:%M:%S.%Q")</LI-CODE> Sun, 11 Oct 2020 19:57:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-group-and-count-first-and-last-timestamp/m-p/524120#M147873 glm_cybaze 2020-10-11T19:57:46Z