https://community.splunk.com/t5/Splunk-Search/Extract-field-from-group-with-minimum-timestamp/m-p/544168#M154143 <P>Hi</P><P>after stats comand please create your triggered_time field with eval:</P><P>| eval T<SPAN>RIGGER_TYPE=if[please here create your condition with e2 fields]</SPAN></P><P><SPAN><A href="https://splunkonbigdata.com/2018/08/26/usage-of-splunk-eval-function-if/" target="_blank">https://splunkonbigdata.com/2018/08/26/usage-of-splunk-eval-function-if/</A></SPAN></P><P><SPAN>after this order your output with&nbsp; a table comand or other stats comand</SPAN></P><P>&nbsp;</P><P>&nbsp;</P> Wed, 17 Mar 2021 11:28:39 GMT aasabatini 2021-03-17T11:28:39Z https://community.splunk.com/t5/Splunk-Search/Extract-field-from-group-with-minimum-timestamp/m-p/544159#M154138 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="agh_0-1615978991460.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/13350i8E707063E35F8AEF/image-size/large?v=v2&amp;px=999" role="button" title="agh_0-1615978991460.png" alt="agh_0-1615978991460.png" /></span></P><P>&nbsp;</P><P>I have a query like this where i group by REQUEST_ID</P><P>&nbsp;</P><P>eventtype=sfdc-event-log EVENT_TYPE="ApexTrigger" REQUEST_ID!="" | stats sum(EXEC_TIME) as e1, min(TIMESTAMP_DERIVED) as e2 by REQUEST_ID | eval e1=e1/1000 | sort -e1</P><P>&nbsp;</P><P>I would like to add a new field in this output called TRIGGER_TYPE and display only that trigger_type from each group which has the minimum TIMESTAMP_DERIVED field (e2). (Note that TIMESTAMP_DERIVED is my custom timestamp field)</P><P>&nbsp;</P><P>I see I can get a list of all the trigger types in each group with list(TRIGGER_TYPE) but i only want the TRIGGER_TYPE which has a specific value for the TIMESTAMP_DERIVED field.</P><P>Any ideas on how this can be achieved?</P> Wed, 17 Mar 2021 11:06:52 GMT https://community.splunk.com/t5/Splunk-Search/Extract-field-from-group-with-minimum-timestamp/m-p/544159#M154138 agh 2021-03-17T11:06:52Z https://community.splunk.com/t5/Splunk-Search/Extract-field-from-group-with-minimum-timestamp/m-p/544168#M154143 <P>Hi</P><P>after stats comand please create your triggered_time field with eval:</P><P>| eval T<SPAN>RIGGER_TYPE=if[please here create your condition with e2 fields]</SPAN></P><P><SPAN><A href="https://splunkonbigdata.com/2018/08/26/usage-of-splunk-eval-function-if/" target="_blank">https://splunkonbigdata.com/2018/08/26/usage-of-splunk-eval-function-if/</A></SPAN></P><P><SPAN>after this order your output with&nbsp; a table comand or other stats comand</SPAN></P><P>&nbsp;</P><P>&nbsp;</P> Wed, 17 Mar 2021 11:28:39 GMT https://community.splunk.com/t5/Splunk-Search/Extract-field-from-group-with-minimum-timestamp/m-p/544168#M154143 aasabatini 2021-03-17T11:28:39Z https://community.splunk.com/t5/Splunk-Search/Extract-field-from-group-with-minimum-timestamp/m-p/544169#M154144 <P>hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/232591">@agh</a>,<BR />Try this:</P><LI-CODE lang="markup">eventtype=sfdc-event-log EVENT_TYPE="ApexTrigger" REQUEST_ID!="" | eventstats min(TIMESTAMP_DERIVED) as TIMESTAMP_DERIVED_min by REQUEST_ID | eval trigger_type_min=if(TIMESTAMP_DERIVED=TIMESTAMP_DERIVED_min, TRIGGER_TYPE, "") | stats sum(EXEC_TIME) as e1, min(TIMESTAMP_DERIVED) as e2, max(trigger_type_min) as TRIGGER_TYPE by REQUEST_ID | eval e1=e1/1000 | sort -e1</LI-CODE><P>&nbsp;</P><P>If this reply helps you, an upvote/like would be appreciated.</P> Wed, 17 Mar 2021 11:34:17 GMT https://community.splunk.com/t5/Splunk-Search/Extract-field-from-group-with-minimum-timestamp/m-p/544169#M154144 manjunathmeti 2021-03-17T11:34:17Z https://community.splunk.com/t5/Splunk-Search/Extract-field-from-group-with-minimum-timestamp/m-p/544172#M154145 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="agh_0-1615981155116.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/13353iD179B8C59622F5D9/image-size/large?v=v2&amp;px=999" role="button" title="agh_0-1615981155116.png" alt="agh_0-1615981155116.png" /></span></P><P>I tried this&nbsp;</P><P>eventtype=sfdc-event-log EVENT_TYPE="ApexTrigger" REQUEST_ID!="" | stats sum(EXEC_TIME) as e1, min(TIMESTAMP_DERIVED) as e2 by REQUEST_ID | eval a1=if(TIMESTAMP_DERIVED==e2, TRIGGER_TYPE, "not_first") | eval e1=e1/1000 | sort -e1</P><P>&nbsp;</P><P>trying to output TRIGGER_TYPE field, but a1 is always "not_first". I tried changing the true false outputs, but looks like the field TRIGGER_TYPE is not outputted</P><P>&nbsp;</P> Wed, 17 Mar 2021 11:41:30 GMT https://community.splunk.com/t5/Splunk-Search/Extract-field-from-group-with-minimum-timestamp/m-p/544172#M154145 agh 2021-03-17T11:41:30Z https://community.splunk.com/t5/Splunk-Search/Extract-field-from-group-with-minimum-timestamp/m-p/544213#M154154 <P>this doesnt seem to give correct output, and also takes a lot of time to process (5+ min)</P> Wed, 17 Mar 2021 14:59:37 GMT https://community.splunk.com/t5/Splunk-Search/Extract-field-from-group-with-minimum-timestamp/m-p/544213#M154154 agh 2021-03-17T14:59:37Z