Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get earliest datetime

poojak2579
Path Finder
‎09-09-2017 06:51 PM

I have a field which contains first_found_date and due to some reason it keeps on changing for some of the assets.

Example:
If an asset "A1" has 3 first_found_date over a period of time:
2017-06-20 22:30:30
2016-05-25 22:30:30
2017-01-25 22:30:30

I want to use earliest first_found(i.e 2016-05-25 22:30:30) in all my reports.
If I use the following query to check the earliest first_found , it takes more than 1 hour to get the value because it has to go through all the records over the period of time.

sourcetype=a
|eval combo = Asset+"_"+ID
|stats min(FIRST_FOUND) as earliest_ff by combo

Is there any way we can correlate the asset with its earliest first_found_date without editing props.conf?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎09-10-2017 01:30 AM

There are several ways.

Like this:

index=YouShouldAlwaysSpecifyAnIndex sourcetype=a
| stats earliest(FIRST_FOUND) AS earliest_ff BY Asset ID
| eval combo = Asset+"_"+ID
| table combo earliest_ff

Or this:

index=YouShouldAlwaysSpecifyAnIndex sourcetype=a
| reverse
| dedup Asset ID
| eval combo = Asset+"_"+ID
| table combo FIRST_FOUND
| rename FIRST_FOUND AS earliest_ff

View solution in original post

Reply
Solved! Jump to solution

poojak2579
Path Finder
‎09-12-2017 03:29 PM

Let me make it more clear. There are vulnerabilities on the assets.
ID is the Vulnerability Id and First_Found is the date when it was first found on the asset.
Because of some reason there are multiple First_Found for the combination of Asset+Id.
I want to take earliest First_Found and assign it to the combination of Asset+Id.
I have scheduled a query to run everyday which will check Earliest First_Found in last one year and it takes long time to run.
Is there any way we can assign min of First_Found to Asset+Id so that I don't have to run that query over and over again?

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎09-10-2017 01:30 AM

There are several ways.

Like this:

index=YouShouldAlwaysSpecifyAnIndex sourcetype=a
| stats earliest(FIRST_FOUND) AS earliest_ff BY Asset ID
| eval combo = Asset+"_"+ID
| table combo earliest_ff

Or this:

index=YouShouldAlwaysSpecifyAnIndex sourcetype=a
| reverse
| dedup Asset ID
| eval combo = Asset+"_"+ID
| table combo FIRST_FOUND
| rename FIRST_FOUND AS earliest_ff
Reply
Solved! Jump to solution

poojak2579
Path Finder
‎09-12-2017 02:15 PM

Thanks for the reply.
I am already using the first code but it is taking long time to run the query because I have to check million of records with a time range of more than 1 year.
I want to normalize it, assign the min(First_Found) to all the combos at once and then use it everywhere.
Please let me know if there is any other way to do it.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎09-12-2017 08:56 PM

You will have to make it an index-time field or create an accelerated data model so that you can use tstats. You might also use a summary index.

0 Karma
Reply
Solved! Jump to solution

poojak2579
Path Finder
‎09-13-2017 08:24 AM

I tried accelerated Datamodel and summary index but it didn't work because of some limitations .

https://answers.splunk.com/answers/556349/how-to-join-data-from-two-indexes.html
https://answers.splunk.com/answers/569099/lookup-fields-not-updating-in-the-datamodel.html

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...