https://community.splunk.com/t5/Splunk-Search/timespan-between-earliest-and-latest-per-day-per-user/m-p/115371#M30567 <P>Hi all,<BR /> I am looking for a solution to show for every day of a week the time of the first activity of a user and the time of its last activity (and the time span between them).<BR /> I wanted to use transactions, but from what I understood, I need to know the exact event name to use it... but without transaction it does not seem to work:</P> <PRE><CODE>source="WinEventLog:Security" | eval User = if(isnull(Account_Name), User_Name, mvindex(Account_Name,1)) | stats earliest(_time) as start, latest(_time) as stop by User </CODE></PRE> <P>any advice or help would be very appreciated,</P> <P>Steven</P> Mon, 23 Jun 2014 13:49:42 GMT zendataCH 2014-06-23T13:49:42Z https://community.splunk.com/t5/Splunk-Search/timespan-between-earliest-and-latest-per-day-per-user/m-p/115371#M30567 <P>Hi all,<BR /> I am looking for a solution to show for every day of a week the time of the first activity of a user and the time of its last activity (and the time span between them).<BR /> I wanted to use transactions, but from what I understood, I need to know the exact event name to use it... but without transaction it does not seem to work:</P> <PRE><CODE>source="WinEventLog:Security" | eval User = if(isnull(Account_Name), User_Name, mvindex(Account_Name,1)) | stats earliest(_time) as start, latest(_time) as stop by User </CODE></PRE> <P>any advice or help would be very appreciated,</P> <P>Steven</P> Mon, 23 Jun 2014 13:49:42 GMT https://community.splunk.com/t5/Splunk-Search/timespan-between-earliest-and-latest-per-day-per-user/m-p/115371#M30567 zendataCH 2014-06-23T13:49:42Z https://community.splunk.com/t5/Splunk-Search/timespan-between-earliest-and-latest-per-day-per-user/m-p/115372#M30568 <P>I could be misinterpreting you zendataCH, but this is what I came-up with - for data, I used a source that contains its own 'time' field, and found it convenient to operate on those instead. If your events contain their own timestamp, that might work for you too.</P> <P>I used the 'min' and 'max' stats commands, but grouped them by both the username /and/ the day of the week.</P> <P>Sample Syntax:</P> <P>sourcetype=juniper | stats min(time), max(time) BY user,date_wday</P> <P>This returns approximately the following:</P> <P>ALTOID thursday 2014-06-19 14:14:00 2014-06-19 20:23:06<BR /> ANYPAY monday 2014-06-23 06:40:17 2014-06-23 07:03:05<BR /> APEFAN thursday 2014-06-19 14:10:44 2014-06-19 14:22:31<BR /> ANKLES friday 2014-06-20 09:59:33 2014-06-20 15:58:59<BR /> (...)</P> <P>I haven't figured-out calculating the difference in time between the two events yet, but I bet an eval is the answer for that.</P> <P>Your mileage, of course, may vary.</P> <P>Good luck!</P> Mon, 23 Jun 2014 15:39:46 GMT https://community.splunk.com/t5/Splunk-Search/timespan-between-earliest-and-latest-per-day-per-user/m-p/115372#M30568 Unhacker 2014-06-23T15:39:46Z https://community.splunk.com/t5/Splunk-Search/timespan-between-earliest-and-latest-per-day-per-user/m-p/115373#M30569 <P>The "<EM><A href="http://docs.splunk.com/Documentation/Splunk/6.1.1/SearchReference/CommonStatsFunctions">range</A></EM>" command should give you the difference between the earliest and latest times.</P> <PRE><CODE>sourcetype=juniper | stats min(time), max(time), range(time) BY user,date_wday </CODE></PRE> Mon, 23 Jun 2014 18:14:02 GMT https://community.splunk.com/t5/Splunk-Search/timespan-between-earliest-and-latest-per-day-per-user/m-p/115373#M30569 mike_lebrun 2014-06-23T18:14:02Z