Splunk Search

Query

kajalchopade071
Path Finder

Supposed if i have huge data off employees Like name department and status (login /logout )

One person can login and logout many times in One day. 

I need to find out last logout time for each employee 

Labels (9)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

These doubts are variations on the same theme as are the solutions.


One more doubt, i got Now last logout name of employee ,but supposed after some time he logged in again now i need to remove this user from my logout list. Can you please help me.
index=foo (status=logout OR status=logon)
```Find the most recent login/logout event for each employee```
| dedup name
```Keep only the logouts.  All others are still logged on.```
| where status=logout

Supposed i have employees data status Like login logout. I need to calculate the how many employee logged in and logged out. 
index=foo (status=logon OR status=logout)
| stats count by status

3 employees login and from that 3 employee One log out. Now I need to count in logout list. Suppose again the same employee login i need to push it into login list and remove from logout list likewise 
index=foo (status=logon OR status=logout)
```Show who is logged in and who is logged out```
| stats values(name) as names by status



---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Search for logouts then take the most recent one for each employee.  The dedup command keeps the most recent event for each specified field value (employee name, in this case).

index=foo status=logout
| dedup name

 

---
If this reply helps you, Karma would be appreciated.
0 Karma

kajalchopade071
Path Finder

Thank you so much for the help it return correct values. 

One more doubt, i got Now last logout name of employee ,but supposed after some time he logged in again now i need to remove this user from my logout list. Can you please help me. 

Supposed i have employees data status Like login logout. I need to calculate the how many employee logged in and logged out. 

3 employees login and from that 3 employee One log out. Now I need to count in logout list. Suppose again the same employee login i need to push it into login list and remove from logout list likewise 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

These doubts are variations on the same theme as are the solutions.


One more doubt, i got Now last logout name of employee ,but supposed after some time he logged in again now i need to remove this user from my logout list. Can you please help me.
index=foo (status=logout OR status=logon)
```Find the most recent login/logout event for each employee```
| dedup name
```Keep only the logouts.  All others are still logged on.```
| where status=logout

Supposed i have employees data status Like login logout. I need to calculate the how many employee logged in and logged out. 
index=foo (status=logon OR status=logout)
| stats count by status

3 employees login and from that 3 employee One log out. Now I need to count in logout list. Suppose again the same employee login i need to push it into login list and remove from logout list likewise 
index=foo (status=logon OR status=logout)
```Show who is logged in and who is logged out```
| stats values(name) as names by status



---
If this reply helps you, Karma would be appreciated.
0 Karma

kajalchopade071
Path Finder

Thanks 😊

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...