Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to group and count first and last timestamp

glm_cybaze
Engager
‎10-09-2020 05:04 AM

Hi to everyone,

I have some trouble on setting a correct output for a search query.

This is the start situation of the logs:

splunk_screen_1.jpg

 I've created a regex for a cleaner situation:

 

host="xxxxx" 
     | rex "time\":\"(?<time>[^\"]+)"
     | rex "fullname\":\"(?<fullname>[^\"]+)"
     | rex "confname\":\"(?<confname>[^\"]+)"
     | table time, fullname, confname

 

So now i have this situation:

splunk_screen_2.jpg

It's clear but i need a situation where i can see the first and last time a user login (the system logs timestamp for users as long as the user is logged)

something like: Time start | Time Stop | full name | confname
Someone has a some suggestions?

p.s.
For helping others people in my situation, this is the logs of Big Blue Button software

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-11-2020 10:32 AM

Is it that you want the timestamps displayed as date time?

| fieldformat 'Time Start'=strftime('Time Start',"%Y-%m-%dT%H:%M:%S.%Q")
| fieldformat 'Time Stop'=strftime('Time Stop',"%Y-%m-%dT%H:%M:%S.%Q")

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-09-2020 06:41 AM 
| stats earliest(_time) as "Time Start" latest(_time) as "Time Stop" by fullname, confname
0 Karma
Reply
Solved! Jump to solution

glm_cybaze
Engager
‎10-11-2020 09:55 AM

Hi tanks,

I replaced the string

| table time_first, time_last, fullname, confname

With

| stats earliest(_time) as "Time Start" latest(_time) as "Time Stop" by fullname, confname

Result is:

splunk_screen_3.jpg

I think because the timestamp is: 2020-10-10T12:14:06.969Z
any suggestion?

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-11-2020 10:32 AM

Is it that you want the timestamps displayed as date time?

| fieldformat 'Time Start'=strftime('Time Start',"%Y-%m-%dT%H:%M:%S.%Q")
| fieldformat 'Time Stop'=strftime('Time Stop',"%Y-%m-%dT%H:%M:%S.%Q")
0 Karma
Reply
Solved! Jump to solution

glm_cybaze
Engager
‎10-11-2020 12:57 PM

Yes, it works fine! A summary for others:

host="xxxxxxx" 
     | rex "time\":\"(?<time>[^\"]+)"
     | rex "fullname\":\"(?<fullname>[^\"]+)"
     | rex "confname\":\"(?<confname>[^\"]+)"
| stats earliest(_time) as "Time Start" latest(_time) as "Time Stop" by fullname, confname
 | fieldformat "Time Start"=strftime('Time Start',"%Y-%m-%dT%H:%M:%S.%Q")
| fieldformat "Time Stop"=strftime('Time Stop',"%Y-%m-%dT%H:%M:%S.%Q")
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...