Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Return First user and _time from ACS syslog

buldamoosh
New Member
‎02-28-2012 09:49 AM

Firstly, my data is formatted like this:

Dec 15 13:58:12 gthou-nsacs01p CisACS_01_PassedAuth ne8yfimc 1 0 Message-Type=Authen OK,User-Name=Adorton,NAS-IP-Address=10.71.11.7,Caller-ID=174.253.112.223,NAS-Port=124190720,Group-Name=VPN Neudesic,Filter Information=No Filters activated.,AAA Server=gthou-nsacs01p,Network Device Group=Wireless and VPN,Access Device=phe-ardmore-int-sa00-rad,

I've created an eventtype which keys on "Message-Type=Authen OK" called acs-authentication-success. The query I'm working off of looks like this:

eventtype=acs-authentication-success | uniq User_Name | sort User_Name, -_date | fields User_Name, _time

However, rather than displaying the latest time that every User_Name was seen in the syslog data, it returns EVERY individual instance. I'm new to splunk reporting and would appreciate any assistance. Thanks in advance!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎02-28-2012 10:16 AM

First, do not use uniq. I don't even know why it even exists. Try:

eventtype=acs-authentication-success | dedup User_Name | fields User_Name, _time

or

eventtype=acs-authentication-success | stats latest(_time) by User_Name

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎02-28-2012 10:16 AM

First, do not use uniq. I don't even know why it even exists. Try:

eventtype=acs-authentication-success | dedup User_Name | fields User_Name, _time

or

eventtype=acs-authentication-success | stats latest(_time) by User_Name
0 Karma
Reply
Solved! Jump to solution

buldamoosh
New Member
‎02-28-2012 10:40 AM

Awesome, that definitely got my results as I expected them. Thank you so much! Can you point me to a document that will help me to export the dataset to a CSV with the User_name and the _time?

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...