https://community.splunk.com/t5/Splunk-Search/Help-with-search-to-make-report/m-p/646356#M223726 <P>You could start with something like this</P><LI-CODE lang="markup">index=&lt;insex_name&gt; sourcetype=&lt;source_name&gt; earliest=-14d@d latest=@d user@email | bin span=1d _time as day | stats earliest(_time) as first by day user | fieldformat first=strftime(first,"%Y-%m-%dT%H:%M:%S.%Q")</LI-CODE> Thu, 08 Jun 2023 15:36:32 GMT ITWhisperer 2023-06-08T15:36:32Z https://community.splunk.com/t5/Splunk-Search/Help-with-search-to-make-report/m-p/646351#M223724 <P>Hi, dear splunkers, actually im new to splunk and I need to write a query in order to make a report. So, from a logs I have to display for several employees their first connection time for each day for a period of two weeks and have it in output.&nbsp; As i see steps would be to take each day, find&nbsp; time of earliest event and write it in output. How it would be better to implement it? Thanks in advance.</P> <P>My draft</P> <LI-CODE lang="markup">index=&lt;insex_name&gt; sourcetype=&lt;source_name&gt; earliest=-14d latest=-13d user@email | sort _time asc | head 1 | table _time, user | eval 25.05=strftime(_time,"%Y-%m-%dT%H:%M:%S.%Q") | fields - _time</LI-CODE> Thu, 08 Jun 2023 15:39:10 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-search-to-make-report/m-p/646351#M223724 john8745 2023-06-08T15:39:10Z https://community.splunk.com/t5/Splunk-Search/Help-with-search-to-make-report/m-p/646356#M223726 <P>You could start with something like this</P><LI-CODE lang="markup">index=&lt;insex_name&gt; sourcetype=&lt;source_name&gt; earliest=-14d@d latest=@d user@email | bin span=1d _time as day | stats earliest(_time) as first by day user | fieldformat first=strftime(first,"%Y-%m-%dT%H:%M:%S.%Q")</LI-CODE> Thu, 08 Jun 2023 15:36:32 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-search-to-make-report/m-p/646356#M223726 ITWhisperer 2023-06-08T15:36:32Z