I want to get the first time and last time per day that a person identified by an unique CARD_ID shows up in an access log. The log is in the format shown below. I want to be able to chart it showing the average access times for people and to highlight people who are significantly outside the normal range (second part is optional). If I have a list of employees in a CSV file, I would like to be able to pull the report based on team_ID.
I tried: http://answers.splunk.com/answers/149904/find-earliest-and-latest-event-per-day-for-a-time-range.html but that is asking for a single user and I was unable to edit for my use.
Based on the post above I tried the following command: but the first and last were 00:00
host="pfcacu" sourcetype =csv |table _time CARD_ID | bucket _time span=1d | stats earliest(_time) as First latest(_time) as Last by "Card Number" | eval First=strftime(First,"%H:%M") | eval Last=strftime(Last,"%H:%M")
1,Access Granted,3,LOCATION_NAME,UNIT2,SITE_NAME,11/13/2014 15:39:00,000,CARD_ID,Fname,Lname #2,,,,,,,,,,,,,,,,,,
1,Access Granted,2,LOCATION_NAME,UNIT4,SITE_NAME,11/13/2014 15:40:18,000,CARD_ID,Fname,Lname ,,,,,,,,,CS,,,,,,,,,
1,Access Granted,2,LOCATION_NAME,UNIT4,SITE_NAME,11/13/2014 15:41:11,000,CARD_ID,Fname,Lname #2,,,,,,,,,,,,,,,,,,
1,Access Granted,3,LOCATION_NAME,UNIT3,SITE_NAME,11/13/2014 15:43:25,000,CARD_ID,Fname,Lname ,,,,,,,,,,,,,,,,,,
... View more