Solved: Re: Is there a way to have the 1st timestamp and l...

newbie09 · ‎08-02-2019

Currently, i have the below result of the search. It is returning the servername,errorcode and the timestamp.
What my objective is to have the 1sttimestamp and lasttimestamp of the server 1 error with the given errocode 50 to be on the same row of the result.
If the error only appears once, then the 1sttimestamp and the lasttimestamp will be the same.

Before:
servername ErrorCode Time
Server1 50 2019-08-03 01:24:05
Server2 50 2019-08-03 01:23:05
server1 50 2019-08-03 01:22:05

After:
servername ErrorCode Lastest Time First_Error_Time
Server1 50 2019-08-03 01:24:05 2019-08-03 01:22:05
Server2 50 2019-08-03 01:23:05 2019-08-03 01:23:05

renjith_nair · ‎08-02-2019

@newbie09,

Try

"your search" |stats latest(_time) as LatestTime,earliest(_time) as Earliest by servername, ErrorCode

You may change the time format using ctime or strftime

Happy Splunking!

View solution in original post

renjith_nair · ‎08-02-2019

@newbie09,

Try

"your search" |stats latest(_time) as LatestTime,earliest(_time) as Earliest by servername, ErrorCode

You may change the time format using ctime or strftime

Happy Splunking!

newbie09 · ‎08-03-2019

Thank you @renjith.nair

working!!!!

newbie09 · ‎08-03-2019

thanks renjith!!! i'll try and let you know.

Is there a way to have the 1st timestamp and last timestamp to be in the same row? Please check below example

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!