Splunk Search

Query

kajalchopade071
Path Finder

Supposed if i have huge data off employees Like name department and status (login /logout )

One person can login and logout many times in One day. 

I need to find out last logout time for each employee 

Labels (8)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

These doubts are variations on the same theme as are the solutions.


One more doubt, i got Now last logout name of employee ,but supposed after some time he logged in again now i need to remove this user from my logout list. Can you please help me.
index=foo (status=logout OR status=logon)
```Find the most recent login/logout event for each employee```
| dedup name
```Keep only the logouts.  All others are still logged on.```
| where status=logout

Supposed i have employees data status Like login logout. I need to calculate the how many employee logged in and logged out. 
index=foo (status=logon OR status=logout)
| stats count by status

3 employees login and from that 3 employee One log out. Now I need to count in logout list. Suppose again the same employee login i need to push it into login list and remove from logout list likewise 
index=foo (status=logon OR status=logout)
```Show who is logged in and who is logged out```
| stats values(name) as names by status



---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Search for logouts then take the most recent one for each employee.  The dedup command keeps the most recent event for each specified field value (employee name, in this case).

index=foo status=logout
| dedup name

 

---
If this reply helps you, Karma would be appreciated.
0 Karma

kajalchopade071
Path Finder

Thank you so much for the help it return correct values. 

One more doubt, i got Now last logout name of employee ,but supposed after some time he logged in again now i need to remove this user from my logout list. Can you please help me. 

Supposed i have employees data status Like login logout. I need to calculate the how many employee logged in and logged out. 

3 employees login and from that 3 employee One log out. Now I need to count in logout list. Suppose again the same employee login i need to push it into login list and remove from logout list likewise 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

These doubts are variations on the same theme as are the solutions.


One more doubt, i got Now last logout name of employee ,but supposed after some time he logged in again now i need to remove this user from my logout list. Can you please help me.
index=foo (status=logout OR status=logon)
```Find the most recent login/logout event for each employee```
| dedup name
```Keep only the logouts.  All others are still logged on.```
| where status=logout

Supposed i have employees data status Like login logout. I need to calculate the how many employee logged in and logged out. 
index=foo (status=logon OR status=logout)
| stats count by status

3 employees login and from that 3 employee One log out. Now I need to count in logout list. Suppose again the same employee login i need to push it into login list and remove from logout list likewise 
index=foo (status=logon OR status=logout)
```Show who is logged in and who is logged out```
| stats values(name) as names by status



---
If this reply helps you, Karma would be appreciated.
0 Karma

kajalchopade071
Path Finder

Thanks 😊

0 Karma
Get Updates on the Splunk Community!

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

The new SOC4Kafka connector, built on OpenTelemetry, enables the collection of Kafka messages and forwards ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Building Momentum: Splunk Developer Program at .conf25

At Splunk, developers are at the heart of innovation. That’s why this year at .conf25, we officially launched ...