https://community.splunk.com/t5/Splunk-Search/Query-related-to-earliest-latest-functions/m-p/365823#M160511 <P>sorry for the delayed response. That worked. Thanks for your help</P> Fri, 14 Jul 2017 07:29:32 GMT mdyunusraza 2017-07-14T07:29:32Z https://community.splunk.com/t5/Splunk-Search/Query-related-to-earliest-latest-functions/m-p/365819#M160507 <P>Hi All,</P> <P>I need help to figure out a query which give me a report based on time. I have tried out my hands with some query but due to my beginners knowledge of splunk, i have not been able to get it working.</P> <P>Basically I have following fields from two sources</P> <P>Source 1:<BR /> DATE USER LOGINTIME LOGTOUTTIME<BR /> 27/06/2017 USER1 10:00 10:50<BR /> 27/06/2017 USER1 11:00 11:25</P> <P>Source 2:<BR /> DATE USER APPNAME APPSTARTIME APPENDTIME DEVICENAME<BR /> 27/06/2017 USER1 APP1 10:02 10:10 PC1<BR /> 27/06/2017 USER1 APP2 10:03 10:15 PC1<BR /> 27/06/2017 USER1 APP3 10:04 10:09 PC1<BR /> 27/06/2017 USER1 APP4 11:03 11:15 PC2<BR /> 27/06/2017 USER1 APP5 11:04 11:09 PC2</P> <P>The above data comes when a user logs in to webserver and launches the application. But the same user can go to another machine and login again to the same webserver and launch applications again. So the results of such actions are depicted in table above.</P> <P>What I want to achieve is using the LOGINTIME &amp; LOGOUTTIME as boundary for each unique LOGINTIME of Source1, I want to capture the first application launch time. A user may have launched other apps but I dont want that.</P> <P>so the result should look like this in each individual row. Is this possible?</P> <P>DATE USER LOGINTIME APPNAME APPSTARTTIME LOGOUTTIME<BR /> 27/06/2017 USER1 10:00 APP1 10:02 10:50<BR /> 27/06/2017 USER1 11:00 APP4 11:03 11:25</P> Thu, 29 Jun 2017 06:14:25 GMT https://community.splunk.com/t5/Splunk-Search/Query-related-to-earliest-latest-functions/m-p/365819#M160507 mdyunusraza 2017-06-29T06:14:25Z https://community.splunk.com/t5/Splunk-Search/Query-related-to-earliest-latest-functions/m-p/365820#M160508 <P>using the data you provided, i've come up with this:</P> <PRE><CODE>|makeresults|eval data="DATE=27/06/2017 USER=USER1 LOGINTIME=10:00 LOGOUTTIME=10:50,DATE=27/06/2017 USER=USER1 LOGINTIME=11:00 LOGOUTTIME=11:25,DATE=27/06/2017 USER=USER1 APPNAME=APP1 APPSTARTTIME=10:02 APPENDTIME=10:10 DEVICENAME=PC1,DATE=27/06/2017 USER=USER1 APPNAME=APP2 APPSTARTTIME=10:02 APPENDTIME=10:15 DEVICENAME=PC1,DATE=27/06/2017 USER=USER1 APPNAME=APP3 APPSTARTTIME=10:04 APPENDTIME=10:09 DEVICENAME=PC1,DATE=27/06/2017 USER=USER1 APPNAME=APP4 APPSTARTTIME=11:03 APPENDTIME=11:15 DEVICENAME=PC2,DATE=27/06/2017 USER=USER1 APPNAME=APP5 APPSTARTTIME=11:09 APPENDTIME=10:09 DEVICENAME=PC2"|makemv data delim=","|mvexpand data|eval _raw=data|kv|eval time=coalesce(LOGINTIME,APPSTARTTIME)|sort USER DATE time|streamstats window=1 current=f values(LOGINTIME) as LOGIN values(LOGOUTTIME) as LOGOUT by USER DATE|table DATE USER LOGIN APPNAME APPSTARTTIME LOGOUT|search LOGIN=* </CODE></PRE> <P>you might have to make your date into epoch to sort by it correctly, but otherwise adding this to your search should work:</P> <PRE><CODE>|eval time=coalesce(LOGINTIME,APPSTARTTIME)|sort USER DATE time|streamstats window=1 current=f values(LOGINTIME) as LOGIN values(LOGOUTTIME) as LOGOUT by USER DATE|table DATE USER LOGIN APPNAME APPSTARTTIME LOGOUT|search LOGIN=* </CODE></PRE> Thu, 29 Jun 2017 11:51:09 GMT https://community.splunk.com/t5/Splunk-Search/Query-related-to-earliest-latest-functions/m-p/365820#M160508 cmerriman 2017-06-29T11:51:09Z https://community.splunk.com/t5/Splunk-Search/Query-related-to-earliest-latest-functions/m-p/365821#M160509 <P>Thanks for the reply. It is giving other fields except the APNAME and APSTARTTIME. Below is the actual query from my system. The only change that I made to your suggested query is that I added RENAME as the DATE and USER fields in my both searches are different. Not sure if that is what is creating the issue as my original post mentioned DATE and USER filed name as same in both the sources</P> <P>(index=* sourcetype="mywebserver" ) OR (index=main sourcetype=sql source=sqldb1 OR source=mi_input://sqldb1) | fields DBDATE,DBUSER,DBLOGIN,DBLOGOUT,APDATE,APSTARTTIME,APUSER,APNAME | rename DBDATE as DATE DBUSER as USER APDATE as DATE APUSER as USER | eval time=coalesce(DBLOGIN,APSTARTTIME)|sort USER DATE time|streamstats window=1 current=f values(DBLOGIN) as LOGIN values(DBLOGOUT) as LOGOUT by USER DATE|table DATE USER LOGIN StartTime LOGOUT|search LOGIN=*</P> Fri, 30 Jun 2017 04:00:52 GMT https://community.splunk.com/t5/Splunk-Search/Query-related-to-earliest-latest-functions/m-p/365821#M160509 mdyunusraza 2017-06-30T04:00:52Z https://community.splunk.com/t5/Splunk-Search/Query-related-to-earliest-latest-functions/m-p/365822#M160510 <P>you cannot rename two different fields to the same name (DBDATE and APDATE, DBUSER and APUSER), you'll have to use <CODE>coalesce</CODE>. <BR /> <CODE>|eval DATE=coalesce(DBDATE,APDATE)|eval USER=(DBUSER,APUSER)</CODE><BR /> see if that helps. </P> Fri, 30 Jun 2017 11:25:09 GMT https://community.splunk.com/t5/Splunk-Search/Query-related-to-earliest-latest-functions/m-p/365822#M160510 cmerriman 2017-06-30T11:25:09Z https://community.splunk.com/t5/Splunk-Search/Query-related-to-earliest-latest-functions/m-p/365823#M160511 <P>sorry for the delayed response. That worked. Thanks for your help</P> Fri, 14 Jul 2017 07:29:32 GMT https://community.splunk.com/t5/Splunk-Search/Query-related-to-earliest-latest-functions/m-p/365823#M160511 mdyunusraza 2017-07-14T07:29:32Z