https://community.splunk.com/t5/Splunk-Search/chopping-up-lastlog/m-p/55872#M179809 <P>Is this what you're looking for?:</P> <PRE><CODE>index=os sourcetype=lastlog|multikv|table host,LATEST,FROM,USERNAME </CODE></PRE> Fri, 07 Jun 2013 20:02:20 GMT glitchcowboy 2013-06-07T20:02:20Z https://community.splunk.com/t5/Splunk-Search/chopping-up-lastlog/m-p/55871#M179808 <P>I have managed to get our linux hosts' lastlog data in our Splunk&gt; (<STRONG>version 5.0.2</STRONG>, build 149561) easily enough, but what I am trying to accomplish (with any additional app installs, thanks) is "chop up" the lastlog results into a <BR /> chart by host, user, ip and date.</P> <P>I tried at Extract Fields on the results and could NOT get it to recognize a list of 40 names? <BR /> 20 Most Common and 20 'Random' names either together or separately both return "No regex could be learned. Try providing different examples or restriction."</P> <P>I tried the <EM>actual</EM> names from "sample events" and it just barks the same message.<BR /> Even the simple names list (Lucy Ricky Fred Ethel) fails.</P> <P>We have the Splunk_TA_nix installed.</P> <P>Sample data via splunk shows:</P> <P>USERNAME FROM LATEST<BR /><BR /> root xx.xxx.61.95 Jun 5 06:15:58 2013<BR /><BR /> some_user isp-24-249-207- Jun 4 08:03:29 2013<BR /><BR /> another_user what.ever Jun 2 13:00:15 2013</P> <P>Edit: Wed Jun 05, 2013 - 1:01:38 PM EDT<BR /><BR /> Extracted Fields vs Indexed Fields...so I want to <EM>extract</EM> the usernames from the output of<BR /><BR /> sourcetype="lastlog" host="*"</P> <P>Fri Jun 07, 2013 - 2:22:40 PM EDT<BR /> Some progress...<BR /> \w+\s+\w+\s+\w+\s+(?P<FIELDNAME1>[^ ]+)<BR /> but this only grabs "root" and one other username<BR /> so, still banging away...</FIELDNAME1></P> <P>Thanks</P> Wed, 05 Jun 2013 15:28:25 GMT https://community.splunk.com/t5/Splunk-Search/chopping-up-lastlog/m-p/55871#M179808 JJ_of_c9 2013-06-05T15:28:25Z https://community.splunk.com/t5/Splunk-Search/chopping-up-lastlog/m-p/55872#M179809 <P>Is this what you're looking for?:</P> <PRE><CODE>index=os sourcetype=lastlog|multikv|table host,LATEST,FROM,USERNAME </CODE></PRE> Fri, 07 Jun 2013 20:02:20 GMT https://community.splunk.com/t5/Splunk-Search/chopping-up-lastlog/m-p/55872#M179809 glitchcowboy 2013-06-07T20:02:20Z https://community.splunk.com/t5/Splunk-Search/chopping-up-lastlog/m-p/55873#M179810 <P>Very close and it gives me so much to work with. I can shape the output further thanks to you and this working example.<BR /><BR /> sourcetype="lastlog"| multikv|table host,USERNAME,LATEST,FROM | dedup host sortby lastlogin_time | table host,USERNAME,LATEST,FROM</P> <P>Thank you very much!<BR /><BR /> John Jones of<BR /><BR /> cirrhus9.com</P> Fri, 07 Jun 2013 20:48:56 GMT https://community.splunk.com/t5/Splunk-Search/chopping-up-lastlog/m-p/55873#M179810 JJ_of_c9 2013-06-07T20:48:56Z https://community.splunk.com/t5/Splunk-Search/chopping-up-lastlog/m-p/55874#M179811 <P>jj: if glitch's answer solved your problem, please accept his answer by checking the checkbox. thanks!</P> Fri, 07 Jun 2013 22:33:58 GMT https://community.splunk.com/t5/Splunk-Search/chopping-up-lastlog/m-p/55874#M179811 piebob 2013-06-07T22:33:58Z https://community.splunk.com/t5/Splunk-Search/chopping-up-lastlog/m-p/55875#M179812 <P>I also found this format to be useful and easy to read.</P> <P>sourcetype="lastlog" |dedup host| multikv |stats list(USERNAME) AS login_user, list(LATEST) AS login_time by host</P> Tue, 29 Sep 2020 08:52:08 GMT https://community.splunk.com/t5/Splunk-Search/chopping-up-lastlog/m-p/55875#M179812 mike11339 2020-09-29T08:52:08Z