https://community.splunk.com/t5/Splunk-Search/Return-last-event-appear-time/m-p/336317#M159750 <P>Just building on the @sbbadri's query, I think you just need <CODE>count()</CODE> and <CODE>last()</CODE> stats functions with aggregation by user_id, Description. </P> <PRE><CODE>sourcetype=WinEventLog:Security EventCode=4625 | stats count last(_time) as lastHappenTime by user_id Description </CODE></PRE> Fri, 28 Jul 2017 08:06:35 GMT niketn 2017-07-28T08:06:35Z https://community.splunk.com/t5/Splunk-Search/Return-last-event-appear-time/m-p/336314#M159747 <P>HI Everyone<BR /> I have a query will return me a table shows top users that has logon fail detail as below<BR /> query </P> <PRE><CODE>sourcetype=WinEventLog:Security EventCode=4625 | top user_id, Description, </CODE></PRE> <P>and return table looks like below</P> <PRE><CODE>user_id Description count percent user1 logonFail 121 17.741935 user2 logonFail 98 10.2544 user3 logonFail 25 6.3625 **** </CODE></PRE> <P>I want to added an column that shows the last event time of that failed log happened and now display the percent column as below</P> <PRE><CODE>user_id Description count lastHappenTime user1 logonFail 121 15:30 user2 logonFail 98 10:15 user3 logonFail 25 16:24 **** </CODE></PRE> <P>so this way I can tell whether the fail logon event is still happening or not. Anyone done the similar thing can give me some hit please?<BR /> Thanks in advance<BR /> Regards<BR /> Sam</P> Fri, 28 Jul 2017 05:20:02 GMT https://community.splunk.com/t5/Splunk-Search/Return-last-event-appear-time/m-p/336314#M159747 samlinsongguo 2017-07-28T05:20:02Z https://community.splunk.com/t5/Splunk-Search/Return-last-event-appear-time/m-p/336315#M159748 <P>sourcetype=WinEventLog:Security EventCode=4625 | stats last(_time) as lastHappenTime by user_id Description| eval lastHappenTime=strftime(lastHappenTime,"%H:%M:%S") | top user_id Description lastHappenTime</P> Tue, 29 Sep 2020 15:04:20 GMT https://community.splunk.com/t5/Splunk-Search/Return-last-event-appear-time/m-p/336315#M159748 sbbadri 2020-09-29T15:04:20Z https://community.splunk.com/t5/Splunk-Search/Return-last-event-appear-time/m-p/336316#M159749 <P>this does added the lastHappenTime column but the count is wrong (show as 1) as below <BR /> user_id Description count lastHappenTime<BR /> user1 logonFail 1 15:30<BR /> user2 logonFail 1 10:15<BR /> user3 logonFail 1 16:24<BR /> ****<BR /> it make sence only one event at 1530 but I want to know when was the last event happened (in this case it is 15:30) and how many is happened in today which I expect 120 rather than 1<BR /> Regards<BR /> Sam</P> Fri, 28 Jul 2017 06:14:38 GMT https://community.splunk.com/t5/Splunk-Search/Return-last-event-appear-time/m-p/336316#M159749 samlinsongguo 2017-07-28T06:14:38Z https://community.splunk.com/t5/Splunk-Search/Return-last-event-appear-time/m-p/336317#M159750 <P>Just building on the @sbbadri's query, I think you just need <CODE>count()</CODE> and <CODE>last()</CODE> stats functions with aggregation by user_id, Description. </P> <PRE><CODE>sourcetype=WinEventLog:Security EventCode=4625 | stats count last(_time) as lastHappenTime by user_id Description </CODE></PRE> Fri, 28 Jul 2017 08:06:35 GMT https://community.splunk.com/t5/Splunk-Search/Return-last-event-appear-time/m-p/336317#M159750 niketn 2017-07-28T08:06:35Z https://community.splunk.com/t5/Splunk-Search/Return-last-event-appear-time/m-p/336318#M159751 <P>again, a little building based on @sbbadri and @niketnilay, since you can't do a top on count, and you want the percentage:</P> <PRE><CODE> sourcetype=WinEventLog:Security EventCode=4625 | stats count last(_time) as lastHappenTime by user_id Description|eventstats sum(count) as total|eval percent=round((count/total)*100,2)|fields user_id Description count percent lastHappenTime </CODE></PRE> Fri, 28 Jul 2017 11:30:31 GMT https://community.splunk.com/t5/Splunk-Search/Return-last-event-appear-time/m-p/336318#M159751 cmerriman 2017-07-28T11:30:31Z https://community.splunk.com/t5/Splunk-Search/Return-last-event-appear-time/m-p/336319#M159752 <P>Thank you for all the help!!! I got what I wanted on following query </P> <PRE><CODE> wineventlog` sourcetype=WinEventLog:Security EventCode=4625 | fields + user_id _time Description src | stats values(src) as "Source Computer", values(Description) as Description latest(_time) as lastHappenTime count(_time) as Total by user_id | eval lastHappenTime=strftime(lastHappenTime,"%H:%M:%S") | sort - "lastHappenTime" | head 10 </CODE></PRE> Mon, 31 Jul 2017 00:20:45 GMT https://community.splunk.com/t5/Splunk-Search/Return-last-event-appear-time/m-p/336319#M159752 samlinsongguo 2017-07-31T00:20:45Z