Splunk Search

Search to find the timestamp of each (Login, Logout, Expire) keyword from _raw and log file last updated time

Path Finder

Hi Guys,

Can anyone please help me in the below search.
I want the name of all logfiles with details of keywords from each sourcetype.
If there is a keyword present in the specific log file then the last time when that keyword was there in the log file.

Log_Name | Updatedago | Login | Logout | Expire
Server.log | Last Login event at "TimeFrame"| Last LogOut event at "TimeFrame"| Last Expire event at "TimeFrame"
Server1.log | Last Login event at "TimeFrame"| Last LogOut event at "TimeFrame"| Last Expire event at "TimeFrame"

The Login , Logout, Expire are the keywords available in _raw field.
The timestamp field specifies the logs are updated how many minutes/hours ago(last updated time of log file)

I am using below search but no results and not sure how to get last updated thing:

index=serverlogs source=server*.log
 | eval status=if(_raw LIKE "*Login*" ,Login, _raw LIKE "*LogOut*","Logout", _raw LIKE "*Expire*","Expire",0 )
0 Karma

Esteemed Legend

Try this:

index=serverlogs source=server*.log
| eval status=case(
   match(_raw, "Login",  "Login",
   match(_raw, "LogOut", "Logout", 
   match(_raw, "Expire", "Expire",
   true(), "Other")
0 Karma


Hi sahil237888,
whay don't you tried to use tags?
you should create three different eventypes and associate to each of them a tag:

  • index=serverlogs source=server*.log login for tag=login
  • index=serverlogs source=server*.log logout for tag=logout
  • index=serverlogs source=server*.log logfail for tag=logfail

In this way, yoy have the keywords to display:

index=serverlogs source=server*.log
| table _time source tag

Using this method I created an entire apps to display login, logout and logfail of many different systems, creating many eventyper (three for each kind of system) associating the related tag.


Get Updates on the Splunk Community!

Starting With Observability: OpenTelemetry Best Practices

Tech Talk Starting With Observability: OpenTelemetry Best Practices Tuesday, October 17, 2023   |  11AM PST / ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...

Streamline Data Ingestion With Deployment Server Essentials

REGISTER NOW! Every day the list of sources Admins are responsible for gets bigger and bigger, often making ...