Unfortunately, doing this on Windows is not quite as straightforward as one might expect.
If all you care about is the first time a user hit the network, then use Splunk's search language to just isolate the first occurrence. Most of the time, you'll want Event 4624 or 528, depending on your Windows version. The general form would be:
sourcetype="windows-snare" Success EventCode=4624 NOT user="*$" | eval logonTime=_time | bucket _time span=1d | stats min(logonTime) as logonTime by user, _time | convert ctime(logonTime)
bucket command, and the inclusion of
_time in the
stats command, are optional but will break it out separately for each day.
Similarly, if you just want the first event for a user for a given day:
sourcetype="windows-snare" Success EventCode=4624 NOT user="*$" | sort _time | dedup user
It's important to understand that these events do not necessarily indicate a user logging in by typing their credentials -- almost any network activity can generate this event.
If you want to track when a user actually entered their name and password, and not just when they hit a network share or other resource, you need to look mainly for Logon Type 2, 7, 10, or 11. These correspond to Interactive Logon, Screen Unlock, Remote Desktop Logon, and workstations logins with Cached Credentials. Unfortunately, they will generally appear only on the workstation at which the event occurred, and not on a domain controller.
For newer windows versions, searching for Event 4776 (Credential Validation) will tell you when a domain controller actually checked the password. But remember that it won't appear for logons using cached credentials.
You may also want to take a look at Randy Franklin Smith's site, and at eventid.net. The first has a good quick reference sheet here:
Great answer. There is also an app on Splunkbase that provides EventID lookups and some easy links to eventid.net via splunk workflows: http://splunkbase.splunk.com/apps/All/4.x/Add-On/app:Windows+Event+Codes+Lookup
To Windows, a login is a login is a login. There's nothing special about a user's "first" login of the day. You may want to rephrase this as something more like "How can I write a search to find the first time a user logs in each day, assuming midnight starts a new day?" (Or 5AM, or 6AM, or whatever)