Re: How to get last login from multiple date ?

riposan · ‎01-29-2023

please help,i used _time from date log, and i using time from windowstime, but i tried substraction bot of them not result in coloumn durationday

stats max(_time) as lastlogin by user |eval n=time()|eval today=strftime(n,"%m-%d-%Y %H:%M:%S.%Q")| eval durationday = lastlogin - today | table user,lastlogin,today,durationday

and result this

user lastlogin today durationday

dsadadnk12

01-30-2023 11:10:27.208

01-30-2023 11:25:14.000

scelikok · ‎01-29-2023

Hi @riposan,

You should calculate the duration before formatting the lastlogin. Please try below;

| stats max(_time) as lastlogin by user 
| eval n=time() 
| eval durationday = n-lastlogin 
| eval today=strftime(n,"%m-%d-%Y %H:%M:%S.%Q") 
| eval durationday= tostring(durationday,"duration") 
| table user,lastlogin,today,durationday

If this reply helps you an upvote and "Accept as Solution" is appreciated.

riposan · ‎01-29-2023

thx for reply my question. i tried this,still no result in coloumn durationday

riposan · ‎01-30-2023

after i tried change coloumn _time, its still work. thx

How to get last login from multiple date ?

eval

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Join the Conversation