Splunk Search
Highlighted

Search that shows first and last event time + total count of events per user

Communicator

I have a list of top 10 users that failed to login to a site and I want to take the events related to those top ten users and get a read out of:
Time of first event
Time of last event
Total number of events

This would be relating to each user in that top ten list. Here is an example of what it would look like on paper:
---user_email--------------Start--------------------------------Stop----------------------------------Total
1. bob@bob.com---------02/28/17 - 01:16:19:PM-------09/22/17 - 10:36:51:AM---------35
2. smith@smith.com-----04/1/17 - 05:32:15:PM --------06/26/17 - 11:22:06:PM---------7

Here is what I have so far, really I am just missing how I can get the total number of events per user column:
index="test" Event_ID="123456" [search index="test"Event_ID="123456" | top limit=10 user_email | table user_email]
| stats earliest(_time) as start, latest(_time) as stop by user_email
| eval start=strftime(start, "%m/%d/%y - %I:%M:%S:%p")
| eval stop=strftime(stop, "%m/%d/%y - %I:%M:%S:%p")

0 Karma
Highlighted

Re: Search that shows first and last event time + total count of events per user

Motivator

@snix

try this,

index=test EventID="123456" [search index="test"EventID="123456" | top limit=10 useremail | table useremail] | stats count as Total , earliest(time) as start, latest(time) as stop by useremail | eval start=strftime(start, "%m/%d/%y - %I:%M:%S:%p") | eval stop=strftime(stop, "%m/%d/%y - %I:%M:%S:%p") | table useremail start stop Total

View solution in original post

0 Karma
Highlighted

Re: Search that shows first and last event time + total count of events per user

Communicator

@sbbadri

That did the trick!!! Thank you!!!

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.