https://community.splunk.com/t5/Splunk-Search/How-to-create-a-table-with-the-earliest-and-latest-event-times/m-p/234111#M69564 <P>Like this:</P> <PRE><CODE> index=* sourcetype=* User | eval User=lower(User) | lookup local=true lookup1.csv user_id as User | eval Name=display_name | stats earliest(_time) AS "First Login" latest(_time) AS "Last Login" BY Name | convert ctime("First Login") ctime("Last Login") </CODE></PRE> Wed, 29 Jun 2016 12:56:09 GMT woodcock 2016-06-29T12:56:09Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-table-with-the-earliest-and-latest-event-times/m-p/234110#M69563 <P>I am trying to create a table that will show the earliest and latest event times of every user in my search. The "First Login"column will be their very first event time and the "Last Login" column will be their last event created.</P> <P>This search will return every event's _time for each user but the "Last Login" is the same for every User. With this search I can see the times I want but I want to dedup the Users.</P> <PRE><CODE>index=* sourcetype=* User | eval User=lower(User) | lookup local=true lookup1.csv user_id as User | eval Name=display_name | table _time User Name| streamstats earliest(_time) as "First Login" latest(_time) as "Last Login" | convert ctime("First Login") ctime("Last Login") </CODE></PRE> <P>This search will return single User event's _time but it is not finding the earliest event _time for the "First Login" and the "Last Login" is the same for every User .</P> <PRE><CODE> index=* sourcetype=* User | eval User=lower(User) | lookup local=true lookup1.csv user_id as User | eval Name=display_name | table _time User Name| streamstats earliest(_time) as "First Login" latest(_time) as "Last Login" | convert ctime("First Login") ctime("Last Login") | dedup Name </CODE></PRE> <P>Is there a better way to achieve what I am looking to do? </P> <P>Thanks.</P> Wed, 29 Jun 2016 12:29:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-table-with-the-earliest-and-latest-event-times/m-p/234110#M69563 Aaron_Fogarty 2016-06-29T12:29:22Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-table-with-the-earliest-and-latest-event-times/m-p/234111#M69564 <P>Like this:</P> <PRE><CODE> index=* sourcetype=* User | eval User=lower(User) | lookup local=true lookup1.csv user_id as User | eval Name=display_name | stats earliest(_time) AS "First Login" latest(_time) AS "Last Login" BY Name | convert ctime("First Login") ctime("Last Login") </CODE></PRE> Wed, 29 Jun 2016 12:56:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-table-with-the-earliest-and-latest-event-times/m-p/234111#M69564 woodcock 2016-06-29T12:56:09Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-table-with-the-earliest-and-latest-event-times/m-p/234112#M69565 <P>Thank a million Woodcock, that's exactly it.</P> Wed, 29 Jun 2016 13:14:00 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-table-with-the-earliest-and-latest-event-times/m-p/234112#M69565 Aaron_Fogarty 2016-06-29T13:14:00Z