How to get info from user's first session?

ysdeos · ‎11-17-2012

I have user logs that look like this per session:

userId=u1 sessionId=s1 level=l1

userId=u1 sessionId=s1 level=l2

userId=u1 sessionId=s2 level=l3

userId=u2 sessionId=s1 level=l2

userId=u2 sessionId=s1 level=l4
...

I want a query that returns the user's last recorded session from the first session he had. Meaning:

userId,sessionId,level

u1,s1,l2

u2,s1,l4

How can I do this?
Thanks!

Damien_Dallimor · ‎11-17-2012

See if this works for you :

... | stats values(level) as levels by sessionId,userId | dedup userId | stats last(levels) as "last session" by userId,sessionId

Are you a member of the Splunk Community?