https://community.splunk.com/t5/Splunk-Search/How-do-I-report-on-timestamps-for-earliest-and-latest-field/m-p/183426#M52806 <P>I have a list of logs that are relevant to a specific sourcetype and serial Number. My search results in the following types of logs which have mutiple phase values. My logs look like the following and naturally show up in chronological order (latest first) from the search query:</P> <P>Search: sourcetype="loglist" serialnum="n1234" segmentid="15" </P> <P>Logs:<BR /> ...serialnum="n1234"..."segmentid=15", host="abcd", phase="precall", <BR /> ...serialnum="n1234"..."segmentid=15", host="abcd", phase="callexcept", <BR /> ...serialnum="n1234"..."segmentid=15", host="abcd", phase="precall", <BR /> ...serialnum="n1234"..."segmentid=15", host="abcd", phase="callresult", <BR /> ...serialnum="n1234"..."segmentid=15", host="abcd", phase="precall", </P> <P>I'm interested in getting (1) the timestamps and (2) the duration for the earliest or latest combination of precall and callresult logs. i.e., the time difference between the earliest log with phase="precall" and earliest log with phase="callresult". I would like to be able to (2) repeat this with the latest combinations and (2) scale this query to all serialnumbers and their corresponding segmentids within the sourcetype.</P> <P>I tried this:<BR /> sourcetype="loglist" serialnum="N1234" segmentid="15"| stats earliest(eval(phase="precall")) as d1 earliest(eval(phase="callresult")) as d2| eval k1=d1 | eval k2=d2| transaction startswith(k1) endswith (k2) | table duration</P> <P>Splunk identifies the events, but it's unable to perform any calculations on it. I'm basically trying to assign the earliest precall and callresult logs to a new field so that I can calculate duration based of that. Any thoughts on how I can modify this search would help! Thanks!</P> Fri, 08 May 2015 00:52:49 GMT aramakrishnan 2015-05-08T00:52:49Z https://community.splunk.com/t5/Splunk-Search/How-do-I-report-on-timestamps-for-earliest-and-latest-field/m-p/183426#M52806 <P>I have a list of logs that are relevant to a specific sourcetype and serial Number. My search results in the following types of logs which have mutiple phase values. My logs look like the following and naturally show up in chronological order (latest first) from the search query:</P> <P>Search: sourcetype="loglist" serialnum="n1234" segmentid="15" </P> <P>Logs:<BR /> ...serialnum="n1234"..."segmentid=15", host="abcd", phase="precall", <BR /> ...serialnum="n1234"..."segmentid=15", host="abcd", phase="callexcept", <BR /> ...serialnum="n1234"..."segmentid=15", host="abcd", phase="precall", <BR /> ...serialnum="n1234"..."segmentid=15", host="abcd", phase="callresult", <BR /> ...serialnum="n1234"..."segmentid=15", host="abcd", phase="precall", </P> <P>I'm interested in getting (1) the timestamps and (2) the duration for the earliest or latest combination of precall and callresult logs. i.e., the time difference between the earliest log with phase="precall" and earliest log with phase="callresult". I would like to be able to (2) repeat this with the latest combinations and (2) scale this query to all serialnumbers and their corresponding segmentids within the sourcetype.</P> <P>I tried this:<BR /> sourcetype="loglist" serialnum="N1234" segmentid="15"| stats earliest(eval(phase="precall")) as d1 earliest(eval(phase="callresult")) as d2| eval k1=d1 | eval k2=d2| transaction startswith(k1) endswith (k2) | table duration</P> <P>Splunk identifies the events, but it's unable to perform any calculations on it. I'm basically trying to assign the earliest precall and callresult logs to a new field so that I can calculate duration based of that. Any thoughts on how I can modify this search would help! Thanks!</P> Fri, 08 May 2015 00:52:49 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-report-on-timestamps-for-earliest-and-latest-field/m-p/183426#M52806 aramakrishnan 2015-05-08T00:52:49Z https://community.splunk.com/t5/Splunk-Search/How-do-I-report-on-timestamps-for-earliest-and-latest-field/m-p/183427#M52807 <P>Right now, you're using <CODE>stats</CODE> which gathers everything up into buckets as designated. What it sounds like you are looking for is THE earliest as a single value and then do something with that value... so you want <CODE>streamstats</CODE>. it uses the same functions.</P> <P>If that doesn't do it for you or at least make sense... you might want to explain the statement "unable to perform any calculations on it". Like what?</P> Fri, 08 May 2015 05:00:37 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-report-on-timestamps-for-earliest-and-latest-field/m-p/183427#M52807 rsennett_splunk 2015-05-08T05:00:37Z https://community.splunk.com/t5/Splunk-Search/How-do-I-report-on-timestamps-for-earliest-and-latest-field/m-p/183428#M52808 <P>This should work:</P> <PRE><CODE>sourcetype="loglist" | stats earliest(eval(phase="precall")) as d1 earliest(eval(phase="callresult")) as d2 by serialnum,segmentid | eval duration=d2-d1 </CODE></PRE> Fri, 08 May 2015 14:37:08 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-report-on-timestamps-for-earliest-and-latest-field/m-p/183428#M52808 woodcock 2015-05-08T14:37:08Z