topic Re: Get fields associated with the earliest event in a search in Splunk Search

Get fields associated with the earliest event in a search

aaloisi — Tue, 12 May 2020 14:19:53 GMT

Hi all,

I am still a Splunk novice but I am looking for some help using the earliest command. I am calculating a duration from the beginning of my search period to the first event in the search period. For example, lets say the time frame is from 08:00 - 09:00 and the first event is seen at 08:15. This is my code :

| stats earliest(_time) as FirstEvent
| addinfo 
| eval duration=(FirstEvent - info_min_time)

So I am, able to get the timestamp of the earliest event at 08:15 BUT I would also like to get the fields associated with that earliest event. I have tried using two earliest commands but one overrides the other. In short, how do I get the fields associated with the (earliest) 08:15 event?

Re: Get fields associated with the earliest event in a search

richgalloway — Tue, 12 May 2020 15:09:12 GMT

The problem with stats as it's used here is it discards all fields except those it uses. In this case, it means only the FirstEvent field is available to later commands. To get the other fields from the events, you must include them in the stats command.

| stats earliest(_time) as FirstEvent. values(*) as *
| addinfo 
| eval duration=(FirstEvent - info_min_time)

Re: Get fields associated with the earliest event in a search

aaloisi — Tue, 12 May 2020 18:02:32 GMT

So adding the "values" to the stats gets really close to what I need but not exactly. Values returns a list of the distinct values of field X. In my case there are 2 distinct values. I want the current value of field X at time=earliest (08:15).

Re: Get fields associated with the earliest event in a search

richgalloway — Tue, 12 May 2020 18:57:44 GMT

Try earliest instead of values.

Re: Get fields associated with the earliest event in a search

aaloisi — Thu, 14 May 2020 12:48:38 GMT

Thanks @richgalloway this is exactly what I needed!