Splunk Search

How to find the perple who leave in the next day

Minghao
Explorer

We have a game and login log. I want to anyalize the people that login today and don't login tommorow, which is to analyze what effect the 1-day retention. BUT, I can't find these leaved people. I think maybe I can use NOT command or JOIN INNER command, however I failed.

Labels (1)
0 Karma
1 Solution

inventsekar
SplunkTrust
SplunkTrust

2021-02-07 21:39:40 id=1001,flt=2021-01-11 00:05:18ip=xxx.xx.xxx.xx,device=xxx

assuming that "flt" is already extracted:

base search | eval epochLoginTime=strptime(flt, "%Y-%m-%d hh:mm:ss") 
| eval epochOneDay=relative_time(now(), "-1d@d" ) 
| where epochLoginTime > epochOneDay

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

View solution in original post

0 Karma

Minghao
Explorer

The login log is like below:

2021-02-07 21:39:40 id=1001,flt=2021-01-11 00:05:18ip=xxx.xx.xxx.xx,device=xxx

0 Karma

inventsekar
SplunkTrust
SplunkTrust

2021-02-07 21:39:40 id=1001,flt=2021-01-11 00:05:18ip=xxx.xx.xxx.xx,device=xxx

assuming that "flt" is already extracted:

base search | eval epochLoginTime=strptime(flt, "%Y-%m-%d hh:mm:ss") 
| eval epochOneDay=relative_time(now(), "-1d@d" ) 
| where epochLoginTime > epochOneDay

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma

inventsekar
SplunkTrust
SplunkTrust

Hi @Minghao .. pls share with us the login log(without actual username/server names, etc)..

> I want to anyalize the people that login today and don't login tommorow

this should be simple. the login log should have the timestamp.. so, you can search for the users whose last login was more than 24 hrs (which means, those users didnt login last 24hrs).

if you provide us the sample login log (without actual username/server names, etc), we can help you with the SPL query. thanks. 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma

Minghao
Explorer

Thank you very much,  I have post it and in where flt means the first login time which I think is very useful

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...