Splunk search that will find when customers first ...

jhilton90 · ‎01-03-2023

I'm trying to come up with a Splunk search query that I can use to find when customers have first attempted to log in. We often get call outs regarding credential stuffing attacks, where 100's of accounts have attempted to log in, and part of my analysis is finding when these accounts first attempted to log in.

At the moment I've got this

index=keycloak
| sort time
| streamstats first(time) as first_login by username
| dedup username
| table username, first_login

The usernames are on display, but the 'first_login' column is empty

Manasa_401 · ‎01-03-2023

Hello @jhilton90

You can also try using stats command.

index=keycloak
| sort time
| stats first(_time) as first_login by username
| eval time=strftime(first_login,"%Y-%m-%d %H:%M:%S")

If this helps, karma would be appreciated.

Thanks,

Manasa

gcusello · ‎01-03-2023

Hi @jhilton90,

I don't know what you mean with "time", if you mean the events timestamp, you could try with _time:

index=keycloak
| sort time
| streamstats earliest(_time) as first_login by username
| eval first_login=strftime(first_login,"%Y-%m-%d %H:%M:%S")
| table username, first_login

Ciao.

Giuseppe

Splunk search that will find when customers first logged in?

stats

table

timechart

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine

Are you a member of the Splunk Community?