I need to return the earliest login time per day for a single username. However, some returns do not match the login from that date. Query below:
index=app_redacted_int_* sourcetype="redacted" SessionState="Active" UserName=ABCDE123
| rex field=UserRealName "(?<IDNUM>\d+$)"
| bucket _time span=1d as day
| eval day=strftime(_time,"%F")
| stats earliest(SessionStateChangeTime) as SesssionStateChangeTime by day IDNUM UserRealName UserName
Results:
day IDNUM UserRealName UserName SessionStateChangeTime
2020-07-23 123 John Smith ABCDE123 7/22/2020 09:48:52
2020-07-24 123 John Smith ABCDE123 7/23/2020 12:47:13
2020-07-25 123 John Smith ABCDE123 7/24/2020 07:23:01
2020-07-27 123 John Smith ABCDE123 7/27/2020 07:54:34
2020-07-28 123 John Smith ABCDE123 7/27/2020 07:54:34
2020-07-29 123 John Smith ABCDE123 7/28/2020 07:32:04
As you can see, some days are returning their earliest login as a login from the previous day. I need the dates on the left side and the right side to be matching, and I need this all together in one query, I already know how to do it one query at a time. Thanks for taking your time to help! It is greatly appreciated!
It would appear that on those dates you've binned, the earliest login time was from an earlier day
It appears you've conflated multiple dates in the data into expecting them to be "the same"
I would strongly suspect that
SesssionStateChangeTimeis not the field you want to look at - at least, not in the manner you're trying to now