https://community.splunk.com/t5/Splunk-Search/How-to-generate-Previous-Event-Time-into-Current-Event-by/m-p/538743#M152325 <LI-CODE lang="markup">| reverse | streamstats current=f window=0 last(Disconnected_time) as PreviousEventTime by Disconnected_Session_Name</LI-CODE><P>...switch first(Disconnected_time) with last(Disconnected_time).</P> Fri, 05 Feb 2021 11:23:17 GMT tread_splunk 2021-02-05T11:23:17Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-Previous-Event-Time-into-Current-Event-by/m-p/538723#M152318 <P>Current Output :</P><TABLE width="412"><TBODY><TR><TD width="203.517px" height="24px">Disconnected_time</TD><TD width="228.183px" height="24px">Disconnected_Session_Name</TD><TD width="52.55px" height="24px">count</TD></TR><TR><TD width="203.517px" height="24px"><SPAN>2021-02-02T02:04:29.000</SPAN></TD><TD width="228.183px" height="24px">RDP-Tcp#10</TD><TD width="52.55px" height="24px">12</TD></TR><TR><TD width="203.517px" height="24px">2021-02-02T02:15:55.000</TD><TD width="228.183px" height="24px">RDP-Tcp#27</TD><TD width="52.55px" height="24px">6</TD></TR><TR><TD width="203.517px" height="24px">2021-02-02T03:25:10.000</TD><TD width="228.183px" height="24px">RDP-Tcp#10</TD><TD width="52.55px" height="24px">11</TD></TR><TR><TD width="203.517px" height="24px">2021-02-02T09:30:59.000</TD><TD width="228.183px" height="24px">RDP-Tcp#27</TD><TD width="52.55px" height="24px">5</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>PreviousEventTime should be generated based on "Disconnected_Session_Name" match</P><P>Example :</P><TABLE width="573"><TBODY><TR><TD width="161">Disconnected_time</TD><TD width="187">Disconnected_Session_Name</TD><TD width="64">count</TD><TD width="161">PreviousEventTime</TD></TR><TR><TD><SPAN>2021-02-02T02:04:29.000</SPAN></TD><TD>RDP-Tcp#10</TD><TD>12</TD><TD>&nbsp;</TD></TR><TR><TD>2021-02-02T02:15:55.000</TD><TD>RDP-Tcp#27</TD><TD>6</TD><TD>&nbsp;</TD></TR><TR><TD width="161">2021-02-02T03:25:10.000</TD><TD>RDP-Tcp#10</TD><TD>11</TD><TD><SPAN>2021-02-02T02:04:29.000</SPAN></TD></TR><TR><TD>2021-02-02T09:30:59.000</TD><TD>RDP-Tcp#27</TD><TD>5</TD><TD>2021-02-02T02:15:55.000</TD></TR></TBODY></TABLE><P>&nbsp;</P> Fri, 05 Feb 2021 09:43:15 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-Previous-Event-Time-into-Current-Event-by/m-p/538723#M152318 vn_g 2021-02-05T09:43:15Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-Previous-Event-Time-into-Current-Event-by/m-p/538732#M152319 <P>| streamstats current=f window=1 first(Disconnected_time) as PreviousEventTime by&nbsp;<SPAN>Disconnected_Session_Name</SPAN></P> Fri, 05 Feb 2021 10:21:00 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-Previous-Event-Time-into-Current-Event-by/m-p/538732#M152319 tread_splunk 2021-02-05T10:21:00Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-Previous-Event-Time-into-Current-Event-by/m-p/538735#M152320 <P>No, this is not generating the expected output. There are more than 200 session names which doesnot generate in any particular order.</P> Fri, 05 Feb 2021 10:53:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-Previous-Event-Time-into-Current-Event-by/m-p/538735#M152320 vn_g 2021-02-05T10:53:55Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-Previous-Event-Time-into-Current-Event-by/m-p/538736#M152321 <P>Looking at it again, I think you need to reverse your results first...</P><LI-CODE lang="markup">| reverse | streamstats current=f window=1 first(Disconnected_time) as PreviousEventTime by Disconnected_Session_Name</LI-CODE><P>&nbsp;</P> Fri, 05 Feb 2021 10:56:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-Previous-Event-Time-into-Current-Event-by/m-p/538736#M152321 tread_splunk 2021-02-05T10:56:48Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-Previous-Event-Time-into-Current-Event-by/m-p/538739#M152322 <P>No, still it the same.</P><P>Current Output using streamstats :</P><TABLE width="509"><TBODY><TR><TD width="161">Disconnected_time</TD><TD width="187">Disconnected_Session_Name</TD><TD width="161">PreviousEventTime</TD></TR><TR><TD>2021-02-02T23:31:37.000</TD><TD>RDP-Tcp#10</TD><TD>&nbsp;</TD></TR><TR><TD>2021-02-02T23:25:15.000</TD><TD>RDP-Tcp#27</TD><TD>&nbsp;</TD></TR><TR><TD>2021-02-02T17:58:18.000</TD><TD>RDP-Tcp#27</TD><TD>2021-02-02T23:25:15.000</TD></TR><TR><TD>2021-02-02T17:36:39.000</TD><TD>RDP-Tcp#27</TD><TD>2021-02-02T17:58:18.000</TD></TR><TR><TD>2021-02-02T16:32:07.000</TD><TD>RDP-Tcp#10</TD><TD>&nbsp;</TD></TR><TR><TD>2021-02-02T16:28:41.000</TD><TD>RDP-Tcp#10</TD><TD>2021-02-02T16:32:07.000</TD></TR><TR><TD>2021-02-02T14:59:04.000</TD><TD>RDP-Tcp#27</TD><TD>&nbsp;</TD></TR><TR><TD>2021-02-02T12:19:51.000</TD><TD>RDP-Tcp#10</TD><TD>&nbsp;</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>Expected Output :</P><TABLE width="509"><TBODY><TR><TD width="161">Disconnected_time</TD><TD width="187">Disconnected_Session_Name</TD><TD width="161">PreviousEventTime</TD></TR><TR><TD>2021-02-02T23:31:37.000</TD><TD>RDP-Tcp#10</TD><TD>&nbsp;</TD></TR><TR><TD>2021-02-02T23:25:15.000</TD><TD>RDP-Tcp#27</TD><TD>&nbsp;</TD></TR><TR><TD>2021-02-02T17:58:18.000</TD><TD>RDP-Tcp#27</TD><TD>2021-02-02T23:25:15.000</TD></TR><TR><TD>2021-02-02T17:36:39.000</TD><TD>RDP-Tcp#27</TD><TD>2021-02-02T17:58:18.000</TD></TR><TR><TD>2021-02-02T16:32:07.000</TD><TD>RDP-Tcp#10</TD><TD>2021-02-02T23:31:37.000</TD></TR><TR><TD>2021-02-02T16:28:41.000</TD><TD>RDP-Tcp#10</TD><TD>2021-02-02T16:32:07.000</TD></TR><TR><TD>2021-02-02T14:59:04.000</TD><TD>RDP-Tcp#27</TD><TD>2021-02-02T17:36:39.000</TD></TR><TR><TD>2021-02-02T12:19:51.000</TD><TD>RDP-Tcp#10</TD><TD>2021-02-02T16:28:41.000</TD></TR></TBODY></TABLE> Fri, 05 Feb 2021 11:07:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-Previous-Event-Time-into-Current-Event-by/m-p/538739#M152322 vn_g 2021-02-05T11:07:51Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-Previous-Event-Time-into-Current-Event-by/m-p/538740#M152323 <P>Replace window=1 with window=0.</P><P>&nbsp;</P> Fri, 05 Feb 2021 11:15:57 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-Previous-Event-Time-into-Current-Event-by/m-p/538740#M152323 tread_splunk 2021-02-05T11:15:57Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-Previous-Event-Time-into-Current-Event-by/m-p/538742#M152324 <P>No , the output is generating the same value for "PreviousEventTime" field.</P><TABLE width="509"><TBODY><TR><TD width="161">Disconnected_time</TD><TD width="187">Disconnected_Session_Name</TD><TD width="161">PreviousEventTime</TD></TR><TR><TD>2021-02-02T23:31:37.000</TD><TD>RDP-Tcp#10</TD><TD>&nbsp;</TD></TR><TR><TD>2021-02-02T23:25:15.000</TD><TD>RDP-Tcp#27</TD><TD>&nbsp;</TD></TR><TR><TD>2021-02-02T17:58:18.000</TD><TD>RDP-Tcp#27</TD><TD>2021-02-02T23:25:15.000</TD></TR><TR><TD>2021-02-02T17:36:39.000</TD><TD>RDP-Tcp#27</TD><TD>2021-02-02T23:25:15.000</TD></TR><TR><TD>2021-02-02T16:32:07.000</TD><TD>RDP-Tcp#10</TD><TD>2021-02-02T23:31:37.000</TD></TR><TR><TD>2021-02-02T16:28:41.000</TD><TD>RDP-Tcp#10</TD><TD>2021-02-02T23:31:37.000</TD></TR><TR><TD>2021-02-02T14:59:04.000</TD><TD>RDP-Tcp#27</TD><TD>2021-02-02T23:25:15.000</TD></TR><TR><TD>2021-02-02T12:19:51.000</TD><TD>RDP-Tcp#10</TD><TD>2021-02-02T23:31:37.000</TD></TR></TBODY></TABLE> Fri, 05 Feb 2021 11:19:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-Previous-Event-Time-into-Current-Event-by/m-p/538742#M152324 vn_g 2021-02-05T11:19:34Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-Previous-Event-Time-into-Current-Event-by/m-p/538743#M152325 <LI-CODE lang="markup">| reverse | streamstats current=f window=0 last(Disconnected_time) as PreviousEventTime by Disconnected_Session_Name</LI-CODE><P>...switch first(Disconnected_time) with last(Disconnected_time).</P> Fri, 05 Feb 2021 11:23:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-Previous-Event-Time-into-Current-Event-by/m-p/538743#M152325 tread_splunk 2021-02-05T11:23:17Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-Previous-Event-Time-into-Current-Event-by/m-p/538746#M152327 <P>One more go...</P><LI-CODE lang="markup">| reverse | streamstats current=f window=1 global=false last(Disconnected_time) as PreviousEventTime by Disconnected_Session_Name</LI-CODE><P>Have a look at the docs for streamstats and investigate the correct combination of window, global and first/last for your data set.</P> Fri, 05 Feb 2021 11:29:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-Previous-Event-Time-into-Current-Event-by/m-p/538746#M152327 tread_splunk 2021-02-05T11:29:24Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-Previous-Event-Time-into-Current-Event-by/m-p/538758#M152331 <P>How are you getting on?</P> Fri, 05 Feb 2021 12:46:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-Previous-Event-Time-into-Current-Event-by/m-p/538758#M152331 tread_splunk 2021-02-05T12:46:12Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-Previous-Event-Time-into-Current-Event-by/m-p/538761#M152332 <P>This helped. Thanks a lot.</P> Fri, 05 Feb 2021 13:02:00 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-Previous-Event-Time-into-Current-Event-by/m-p/538761#M152332 vn_g 2021-02-05T13:02:00Z