https://community.splunk.com/t5/Splunk-Search/Query/m-p/582339#M202834 <P>These doubts are variations on the same theme as are the solutions.</P><BLOCKQUOTE><HR />One more doubt, i got Now last logout name of employee ,but supposed after some time he logged in again now i need to remove this user from my logout list. Can you please help me.<HR /></BLOCKQUOTE><LI-CODE lang="markup">index=foo (status=logout OR status=logon) ```Find the most recent login/logout event for each employee``` | dedup name ```Keep only the logouts. All others are still logged on.``` | where status=logout</LI-CODE><BLOCKQUOTE><HR />Supposed i have employees data status Like login logout. I need to calculate the how many employee logged in and logged out.&nbsp;</BLOCKQUOTE><LI-CODE lang="markup">index=foo (status=logon OR status=logout) | stats count by status</LI-CODE><BLOCKQUOTE><HR />3 employees login and from that 3 employee One log out. Now I need to count in logout list. Suppose again the same employee login i need to push it into login list and remove from logout list likewise&nbsp;<HR /></BLOCKQUOTE><LI-CODE lang="markup">index=foo (status=logon OR status=logout) ```Show who is logged in and who is logged out``` | stats values(name) as names by status</LI-CODE><P><BR /><BR /></P> Tue, 25 Jan 2022 00:38:30 GMT richgalloway 2022-01-25T00:38:30Z https://community.splunk.com/t5/Splunk-Search/Query/m-p/582262#M202810 <P>Supposed if i have huge data off employees Like name department and status (login /logout )</P><P>One person can login and logout many times in One day.&nbsp;</P><P>I need to find out last logout time for each employee&nbsp;</P> Mon, 24 Jan 2022 14:40:17 GMT https://community.splunk.com/t5/Splunk-Search/Query/m-p/582262#M202810 kajalchopade071 2022-01-24T14:40:17Z https://community.splunk.com/t5/Splunk-Search/Query/m-p/582273#M202817 <P>Search for logouts then take the most recent one for each employee.&nbsp; The <FONT face="courier new,courier">dedup</FONT> command keeps the most recent event for each specified field value (employee name, in this case).</P><LI-CODE lang="markup">index=foo status=logout | dedup name</LI-CODE><P>&nbsp;</P> Mon, 24 Jan 2022 15:31:14 GMT https://community.splunk.com/t5/Splunk-Search/Query/m-p/582273#M202817 richgalloway 2022-01-24T15:31:14Z https://community.splunk.com/t5/Splunk-Search/Query/m-p/582279#M202819 <P>Thank you so much for the help it return correct values.&nbsp;</P><P>One more doubt, i got Now last logout name of employee ,but supposed after some time he logged in again now i need to remove this user from my logout list. Can you please help me.&nbsp;</P><P>Supposed i have employees data status Like login logout. I need to calculate the how many employee logged in and logged out.&nbsp;</P><P>3 employees login and from that 3 employee One log out. Now I need to count in logout list. Suppose again the same employee login i need to push it into login list and remove from logout list likewise&nbsp;</P> Mon, 24 Jan 2022 16:04:51 GMT https://community.splunk.com/t5/Splunk-Search/Query/m-p/582279#M202819 kajalchopade071 2022-01-24T16:04:51Z https://community.splunk.com/t5/Splunk-Search/Query/m-p/582339#M202834 <P>These doubts are variations on the same theme as are the solutions.</P><BLOCKQUOTE><HR />One more doubt, i got Now last logout name of employee ,but supposed after some time he logged in again now i need to remove this user from my logout list. Can you please help me.<HR /></BLOCKQUOTE><LI-CODE lang="markup">index=foo (status=logout OR status=logon) ```Find the most recent login/logout event for each employee``` | dedup name ```Keep only the logouts. All others are still logged on.``` | where status=logout</LI-CODE><BLOCKQUOTE><HR />Supposed i have employees data status Like login logout. I need to calculate the how many employee logged in and logged out.&nbsp;</BLOCKQUOTE><LI-CODE lang="markup">index=foo (status=logon OR status=logout) | stats count by status</LI-CODE><BLOCKQUOTE><HR />3 employees login and from that 3 employee One log out. Now I need to count in logout list. Suppose again the same employee login i need to push it into login list and remove from logout list likewise&nbsp;<HR /></BLOCKQUOTE><LI-CODE lang="markup">index=foo (status=logon OR status=logout) ```Show who is logged in and who is logged out``` | stats values(name) as names by status</LI-CODE><P><BR /><BR /></P> Tue, 25 Jan 2022 00:38:30 GMT https://community.splunk.com/t5/Splunk-Search/Query/m-p/582339#M202834 richgalloway 2022-01-25T00:38:30Z https://community.splunk.com/t5/Splunk-Search/Query/m-p/582354#M202838 <P>Thanks <span class="lia-unicode-emoji" title=":smiling_face_with_smiling_eyes:">😊</span></P> Tue, 25 Jan 2022 05:36:57 GMT https://community.splunk.com/t5/Splunk-Search/Query/m-p/582354#M202838 kajalchopade071 2022-01-25T05:36:57Z