Splunk search that will find when customers first ...

jhilton90 · ‎01-03-2023

I'm trying to come up with a Splunk search query that I can use to find when customers have first attempted to log in. We often get call outs regarding credential stuffing attacks, where 100's of accounts have attempted to log in, and part of my analysis is finding when these accounts first attempted to log in.

At the moment I've got this

index=keycloak
| sort time
| streamstats first(time) as first_login by username
| dedup username
| table username, first_login

The usernames are on display, but the 'first_login' column is empty

Manasa_401 · ‎01-03-2023

Hello @jhilton90

You can also try using stats command.

index=keycloak
| sort time
| stats first(_time) as first_login by username
| eval time=strftime(first_login,"%Y-%m-%d %H:%M:%S")

If this helps, karma would be appreciated.

Thanks,

Manasa

gcusello · ‎01-03-2023

Hi @jhilton90,

I don't know what you mean with "time", if you mean the events timestamp, you could try with _time:

index=keycloak
| sort time
| streamstats earliest(_time) as first_login by username
| eval first_login=strftime(first_login,"%Y-%m-%d %H:%M:%S")
| table username, first_login

Ciao.

Giuseppe

Splunk search that will find when customers first logged in?

stats

table

timechart

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

Join the Conversation