topic Re: I want to specify a field which contains time as earliest and another field as latest so that my spl will be execute in Splunk Search https://community.splunk.com/t5/Splunk-Search/I-want-to-specify-a-field-which-contains-time-as-earliest-and/m-p/594188#M206808 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/204073">@bapun18</a>,</P><P>if you want to use your fields, you can rename them but in the main search you have to use earliest and latest, not other field names, so if in your data you have&nbsp;<SPAN>starttimeUTC and endtimeutc, you could use something like this:</SPAN></P><LI-CODE lang="markup">your_main_search [ search index=abcd | stats earliest(starttimeUTC) AS earliest latest(endtimeutc) AS latest ] | ....</LI-CODE><P>Ciao.</P><P>Giuseppe</P><P>&nbsp;</P> Tue, 19 Apr 2022 06:38:03 GMT gcusello 2022-04-19T06:38:03Z I want to specify a field which contains time as earliest and another field as latest so that my spl will be executed.. https://community.splunk.com/t5/Splunk-Search/I-want-to-specify-a-field-which-contains-time-as-earliest-and/m-p/594177#M206804 <P>I want to specify a field that contains time as earliest and another field as latest so that my spl will be executed with the earliest value of the earliest value of fileld1 and latest value as the latest value of the filed 2.<BR /><BR />Example,<BR />index=abcd&nbsp;<BR />|table starttimeUTC endtimeutc<BR /><BR />in the above search should run as earliest=&lt;earlier value of&nbsp;tarttimeUTC&gt; and latest=&lt;latest value of&nbsp;endtimeutc&gt;</P> Tue, 19 Apr 2022 05:22:09 GMT https://community.splunk.com/t5/Splunk-Search/I-want-to-specify-a-field-which-contains-time-as-earliest-and/m-p/594177#M206804 bapun18 2022-04-19T05:22:09Z Re: I want to specify a field which contains time as earliest and another field as latest so that my spl will be execute https://community.splunk.com/t5/Splunk-Search/I-want-to-specify-a-field-which-contains-time-as-earliest-and/m-p/594178#M206805 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/204073">@bapun18</a>,</P><P>you should try to use a simple search like this:</P><LI-CODE lang="markup">your_main_search [ search index=abcd | stats earliest(_time) AS earliest latest(_time) AS latest ] | ....</LI-CODE><P>it's important that you use the field names earliest and latest in the main search.</P><P>Ciao.</P><P>Giuseppe</P> Tue, 19 Apr 2022 05:53:14 GMT https://community.splunk.com/t5/Splunk-Search/I-want-to-specify-a-field-which-contains-time-as-earliest-and/m-p/594178#M206805 gcusello 2022-04-19T05:53:14Z Re: I want to specify a field which contains time as earliest and another field as latest so that my spl will be execute https://community.splunk.com/t5/Splunk-Search/I-want-to-specify-a-field-which-contains-time-as-earliest-and/m-p/594188#M206808 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/204073">@bapun18</a>,</P><P>if you want to use your fields, you can rename them but in the main search you have to use earliest and latest, not other field names, so if in your data you have&nbsp;<SPAN>starttimeUTC and endtimeutc, you could use something like this:</SPAN></P><LI-CODE lang="markup">your_main_search [ search index=abcd | stats earliest(starttimeUTC) AS earliest latest(endtimeutc) AS latest ] | ....</LI-CODE><P>Ciao.</P><P>Giuseppe</P><P>&nbsp;</P> Tue, 19 Apr 2022 06:38:03 GMT https://community.splunk.com/t5/Splunk-Search/I-want-to-specify-a-field-which-contains-time-as-earliest-and/m-p/594188#M206808 gcusello 2022-04-19T06:38:03Z