https://community.splunk.com/t5/Splunk-Search/How-to-use-span-with-stats/m-p/612015#M212799 <P>I have a table with the next information:</P><P>Fecha<BR />31/08/2022 16:16:43<BR />31/08/2022 16:19:48<BR />31/08/2022 16:16:34<BR />31/08/2022 16:16:40</P><P><SPAN>I now want to group these infor&nbsp; by day and hour start and hour end,&nbsp; for example:</SPAN></P><P>31/08/2022&nbsp;16:16:34 -&nbsp;16:19:48<BR /><BR /></P><P>The query:</P><P>index=o365 sourcetype=o365:management:activity Operation=UserLoginFailed user=<BR />|stats count, values(user) as Usuario by _time<BR />|eval Fecha = strftime(max(_time), "%d/%m/%Y %H:%M:%S")<BR />|rename count as Contador<BR />|sort -Contador<BR />|table Fecha, Usuario, Contador<BR /><BR />Can you help me, please?</P> Tue, 06 Sep 2022 03:38:22 GMT m0rt1f4g0 2022-09-06T03:38:22Z https://community.splunk.com/t5/Splunk-Search/How-to-use-span-with-stats/m-p/612015#M212799 <P>I have a table with the next information:</P><P>Fecha<BR />31/08/2022 16:16:43<BR />31/08/2022 16:19:48<BR />31/08/2022 16:16:34<BR />31/08/2022 16:16:40</P><P><SPAN>I now want to group these infor&nbsp; by day and hour start and hour end,&nbsp; for example:</SPAN></P><P>31/08/2022&nbsp;16:16:34 -&nbsp;16:19:48<BR /><BR /></P><P>The query:</P><P>index=o365 sourcetype=o365:management:activity Operation=UserLoginFailed user=<BR />|stats count, values(user) as Usuario by _time<BR />|eval Fecha = strftime(max(_time), "%d/%m/%Y %H:%M:%S")<BR />|rename count as Contador<BR />|sort -Contador<BR />|table Fecha, Usuario, Contador<BR /><BR />Can you help me, please?</P> Tue, 06 Sep 2022 03:38:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-span-with-stats/m-p/612015#M212799 m0rt1f4g0 2022-09-06T03:38:22Z https://community.splunk.com/t5/Splunk-Search/How-to-use-span-with-stats/m-p/612017#M212800 <P>You use the 'bin' command to specify a time window then stats, i.e.</P><LI-CODE lang="markup">... | bin _time span=1h | stats xxx by _time</LI-CODE><P>&nbsp;</P> Tue, 06 Sep 2022 03:54:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-span-with-stats/m-p/612017#M212800 bowesmana 2022-09-06T03:54:30Z https://community.splunk.com/t5/Splunk-Search/How-to-use-span-with-stats/m-p/612021#M212801 <P>Hi,&nbsp;I made the modifications:</P><P>The query:</P><P>index=o365 sourcetype=o365:management:activity Operation=UserLoginFailed user=esancheza*<BR />|bin _time span=1h<BR />|stats count, values(user) as Usuario by _time<BR />|eval Fecha = strftime(max(_time), "%d/%m/%Y %H:%M:%S")<BR />|rename count as Contador<BR />|sort -Contador<BR />|table Fecha, Usuario, Contador</P><P>&nbsp;</P><P>But&nbsp;the result is not as expected</P><P>Result:</P><P>Fecha<BR />31/08/2022 16:00:00</P><P>I would like the next result:</P><P><SPAN>31/08/2022&nbsp;16:16:34 -&nbsp;16:19:48</SPAN></P> Tue, 06 Sep 2022 04:07:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-span-with-stats/m-p/612021#M212801 m0rt1f4g0 2022-09-06T04:07:24Z https://community.splunk.com/t5/Splunk-Search/How-to-use-span-with-stats/m-p/612024#M212803 <P>If you are looking to get the counts/users within the 1h window, but also the min/max time of those events, then this will do it</P><P>&nbsp;</P><LI-CODE lang="markup">... your search... | eval t=_time | bin _time span=5m | stats min(t) as min max(t) as max count, values(user) as Usuario by _time | eval Fecha=strftime(min, "%d/%m/%Y %T")." - ".strftime(max, "%T")</LI-CODE><P>&nbsp;</P> Tue, 06 Sep 2022 04:22:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-span-with-stats/m-p/612024#M212803 bowesmana 2022-09-06T04:22:51Z https://community.splunk.com/t5/Splunk-Search/How-to-use-span-with-stats/m-p/612124#M212826 <P>Wow, You´re amazing!</P><P>&nbsp;</P><P>Thank you!</P> Tue, 06 Sep 2022 17:13:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-span-with-stats/m-p/612124#M212826 m0rt1f4g0 2022-09-06T17:13:58Z