Solved: Re: Query

kajalchopade071 · ‎01-24-2022

Supposed if i have huge data off employees Like name department and status (login /logout )

One person can login and logout many times in One day.

I need to find out last logout time for each employee

richgalloway · ‎01-24-2022

These doubts are variations on the same theme as are the solutions.

One more doubt, i got Now last logout name of employee ,but supposed after some time he logged in again now i need to remove this user from my logout list. Can you please help me.

index=foo (status=logout OR status=logon)
```Find the most recent login/logout event for each employee```
| dedup name
```Keep only the logouts.  All others are still logged on.```
| where status=logout

Supposed i have employees data status Like login logout. I need to calculate the how many employee logged in and logged out.

index=foo (status=logon OR status=logout)
| stats count by status

3 employees login and from that 3 employee One log out. Now I need to count in logout list. Suppose again the same employee login i need to push it into login list and remove from logout list likewise

index=foo (status=logon OR status=logout)
```Show who is logged in and who is logged out```
| stats values(name) as names by status

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎01-24-2022

Search for logouts then take the most recent one for each employee. The dedup command keeps the most recent event for each specified field value (employee name, in this case).

index=foo status=logout
| dedup name

---
If this reply helps you, Karma would be appreciated.

kajalchopade071 · ‎01-24-2022

Thank you so much for the help it return correct values.

One more doubt, i got Now last logout name of employee ,but supposed after some time he logged in again now i need to remove this user from my logout list. Can you please help me.

Supposed i have employees data status Like login logout. I need to calculate the how many employee logged in and logged out.

3 employees login and from that 3 employee One log out. Now I need to count in logout list. Suppose again the same employee login i need to push it into login list and remove from logout list likewise

richgalloway · ‎01-24-2022

These doubts are variations on the same theme as are the solutions.

One more doubt, i got Now last logout name of employee ,but supposed after some time he logged in again now i need to remove this user from my logout list. Can you please help me.

index=foo (status=logout OR status=logon)
```Find the most recent login/logout event for each employee```
| dedup name
```Keep only the logouts.  All others are still logged on.```
| where status=logout

Supposed i have employees data status Like login logout. I need to calculate the how many employee logged in and logged out.

index=foo (status=logon OR status=logout)
| stats count by status

3 employees login and from that 3 employee One log out. Now I need to count in logout list. Suppose again the same employee login i need to push it into login list and remove from logout list likewise

index=foo (status=logon OR status=logout)
```Show who is logged in and who is logged out```
| stats values(name) as names by status

---
If this reply helps you, Karma would be appreciated.

kajalchopade071 · ‎01-24-2022

Thanks 😊

Query

chart

count

eval

lookup

regex

rex

stats

table

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Developer Spotlight with Mika Borner

Continue Your Federation Journey: Join Session 3 of the Bootcamp Series

Join the Conversation

Query

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.