Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

First appears to be broken on my search

Eastek5551
Engager
‎11-13-2012 07:17 AM

I have a search tracking users logging into our juniper vpn

sourcetype="SSLVPN" Action="- Login succeeded" |eval Username=lower(Username) | stats sparkline first(LoginTime) as LastLogin count by Username | sort -count | head 10

Everything works perfect when it is set to last 24 hours but when I change the timeline to 30 days (the default) the first value of LastLogin is wrong on half the users, the count is correct but first is dropping off the last 24 hours worth of logins

it is related to username=lower(Username) I am using this because users sign in as Jimmy.zio and jimmy.zio both work and I am aggregating the users into 1

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎11-13-2012 07:30 AM

The first command returns the first value in the events list. So if the "first" event is 7 days ago, it will show that one. first and last are not chronological commands, they are based on the input order of the events. Instead, try this, which uses the latest command:

sourcetype="SSLVPN" Action="- Login succeeded" |eval Username=lower(Username) | stats sparkline latest(LoginTime) as LastLogin count by Username | sort -count | head 10

http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Commonstatsfunctions

View solution in original post

Reply
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎11-13-2012 07:30 AM

The first command returns the first value in the events list. So if the "first" event is 7 days ago, it will show that one. first and last are not chronological commands, they are based on the input order of the events. Instead, try this, which uses the latest command:

sourcetype="SSLVPN" Action="- Login succeeded" |eval Username=lower(Username) | stats sparkline latest(LoginTime) as LastLogin count by Username | sort -count | head 10

http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Commonstatsfunctions

Reply
Solved! Jump to solution

alacercogitatus
SplunkTrust
SplunkTrust
‎11-14-2012 05:55 AM

Your welcome! please use the checkmark and mark accepted. Thanks!

0 Karma
Reply
Solved! Jump to solution

Eastek5551
Engager
‎11-13-2012 08:43 AM

Perfect thanks fixed my search

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Splunk Developer Day was packed with product and platform updates for developers building in the AI ...