Depends on your source data - but here may be an example.
host=<your_server> EventCode=4624 | stats latest(login_time) by user
You will most likely need to change the field names to match your data.
Windows Server 2003
In its simplest form, assuming you're searching an IIS log, use something like this
index=IIS sourcetype=IIS sc_status=200 cs_username!="-" | table date, time, cs_username
If you only want the first entry for each user use this
index=IIS sourcetype=IIS sc_status=200 cs_username!="-" | dedup cs_username | table date, time, cs_username
Of course your index and sourcetype may vary but you should get the idea
We aren't assuming IIS - We KNOW Windows, it was in the problem description. Be careful using dedup - the search head must pull all matching events forward first, deduplicate (assuming you have the correct time order of events) and then table.
host= source="WinEventLog:Security" | table _time User
The above code worked well for what I wanted. Thank you both!
Depends on your source data - but here may be an example.
host=<your_server> EventCode=4624 | stats latest(login_time) by user
You will most likely need to change the field names to match your data.
To more exactly get a search that is useful - we need your Windows Server version.
sourcetype=WineventLog:Security EventCode=528 | stats latest(_time) as "Logged In" by user host