topic How to search the latest timestamp each user received their last email? in Splunk Search

How to search the latest timestamp each user received their last email?

Mufu — Thu, 11 Jun 2015 07:04:23 GMT

Hi,
I need to search when (timestamp) each user has received the last email.
Is this possible?
I tried
to="<*@domain.com>" | stats count by to | sort -_time
but this does not seem to display the time...
sorry - I am pretty new to splunk...
TIA!
Mike

Re: How to search the latest timestamp each user received their last email?

jeffland — Thu, 11 Jun 2015 07:22:08 GMT

That should be pretty straightforward: make a stats with latest of whichever field you want to see the most recent of, in your case _time to get the timestamp. You end up with something this:

to="<*@allianz.co.uk>" | stats latest(_time) as time by user

If you want to display the timestamp in human readable format, use the following eval

to="<*@allianz.co.uk>" | stats latest(_time) as time by user | eval t=strftime(time, "%D - %H:%M:%S")

Re: How to search the latest timestamp each user received their last email?

splunker12er — Thu, 11 Jun 2015 07:39:03 GMT

index=_internal *INFO* "sendemail:354"| stats latest(_time) as time by recipients | eval t=strftime(time, "%D - %H:%M:%S")

Re: How to search the latest timestamp each user received their last email?

Mufu — Thu, 11 Jun 2015 07:42:00 GMT

WHOA! That was quick! 😉
I just had to change
as time by user
to
as time by to
and that´s it!
Thank you so much!

Mike

Re: How to search the latest timestamp each user received their last email?

splunker12er — Thu, 11 Jun 2015 07:43:17 GMT

Did u able to view the results of email address by time, with the above query i posted ?

index=_internal INFO "sendemail:354"| stats values(_time) as time by recipients | eval t=strftime(time, "%D - %H:%M:%S")

index=_internal INFO "sendemail:354"| eval t=strftime(_time, "%D - %H:%M:%S")|stats values(recipients) as Receipients by t

the above gets u address by time - for any specified time-range