Solved: Re: splunk search query

kajalchopade071 · ‎12-15-2021

suppose if i have user1,user2,user3 i need to find out last log message of each user h

isoutamo · ‎12-15-2021

Hi

expecting that your log message is in field named message

index=<your index>
| stats last(message) by user
| where user IN ("user1", "user2", "user3")

Based on amount of your user etc. it could be better to switch where before stats.

r. Ismo

isoutamo · ‎12-15-2021

Hi

expecting that your log message is in field named message

index=<your index>
| stats last(message) by user
| where user IN ("user1", "user2", "user3")

Based on amount of your user etc. it could be better to switch where before stats.

r. Ismo

kajalchopade071 · ‎12-15-2021

suppose if i have lots of user not only 3 user so how can i used by using IN

splunk search query