Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Query

kajalchopade071
Path Finder
‎01-24-2022 06:40 AM

Supposed if i have huge data off employees Like name department and status (login /logout )

One person can login and logout many times in One day. 

I need to find out last logout time for each employee 

Labels (8)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-24-2022 04:38 PM

These doubts are variations on the same theme as are the solutions.

One more doubt, i got Now last logout name of employee ,but supposed after some time he logged in again now i need to remove this user from my logout list. Can you please help me.
index=foo (status=logout OR status=logon)
```Find the most recent login/logout event for each employee```
| dedup name
```Keep only the logouts.  All others are still logged on.```
| where status=logout
Supposed i have employees data status Like login logout. I need to calculate the how many employee logged in and logged out. 
index=foo (status=logon OR status=logout)
| stats count by status
3 employees login and from that 3 employee One log out. Now I need to count in logout list. Suppose again the same employee login i need to push it into login list and remove from logout list likewise 
index=foo (status=logon OR status=logout)
```Show who is logged in and who is logged out```
| stats values(name) as names by status



---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-24-2022 07:31 AM

Search for logouts then take the most recent one for each employee.  The dedup command keeps the most recent event for each specified field value (employee name, in this case).

index=foo status=logout
| dedup name

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

kajalchopade071
Path Finder
‎01-24-2022 08:04 AM

Thank you so much for the help it return correct values. 

One more doubt, i got Now last logout name of employee ,but supposed after some time he logged in again now i need to remove this user from my logout list. Can you please help me. 

Supposed i have employees data status Like login logout. I need to calculate the how many employee logged in and logged out. 

3 employees login and from that 3 employee One log out. Now I need to count in logout list. Suppose again the same employee login i need to push it into login list and remove from logout list likewise 

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-24-2022 04:38 PM

These doubts are variations on the same theme as are the solutions.

One more doubt, i got Now last logout name of employee ,but supposed after some time he logged in again now i need to remove this user from my logout list. Can you please help me.
index=foo (status=logout OR status=logon)
```Find the most recent login/logout event for each employee```
| dedup name
```Keep only the logouts.  All others are still logged on.```
| where status=logout
Supposed i have employees data status Like login logout. I need to calculate the how many employee logged in and logged out. 
index=foo (status=logon OR status=logout)
| stats count by status
3 employees login and from that 3 employee One log out. Now I need to count in logout list. Suppose again the same employee login i need to push it into login list and remove from logout list likewise 
index=foo (status=logon OR status=logout)
```Show who is logged in and who is logged out```
| stats values(name) as names by status



---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

kajalchopade071
Path Finder
‎01-24-2022 09:36 PM

Thanks 😊

0 Karma
Reply
Get Updates on the Splunk Community!

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...