Display Minimum and Maximum values in a Column

NeonFlash · ‎01-09-2013

I am querying a sourcetype which has a field called _time that displays the timestamp of the event. The format of this field is: 1/9/13 10:10:53.000 AM

Now, I want to display the minimum and maximum timestamps in the entire column.

I tried using the min and max functions however it does not give any output.

table min(_time), max(_time)

This way I would get the first instance and the last instance of the event from the logs.

I even tried to use the eval function as follows:

table eval(min(_time)), eval(max(_time))

Suda · ‎01-09-2013

I recommend you to use the following search commans after your searches.

(your search) 
| stats max(_time) AS max min(_time) AS min 
| eval max=strftime(max, "%Y/%m/%d %T.%3Q") 
| eval min=strftime(min, "%Y/%m/%d %T.%3Q")
| table min max

Thanks.

yannK · ‎01-09-2013

use stats, not table.

sdaniels · ‎01-09-2013

I think you may be looking for the commands head and tail.

| head 1 will give you the latest event and tail will give you the earliest for your specified time range.

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/head
http://docs.splunk.com/Documentation/Splunk/5.0.1/SearchReference/Tail

Display Minimum and Maximum values in a Column

Splunk APM & RUM | Upcoming Planned Maintenance

Part 2: Diving Deeper With AIOps

User Groups | Upcoming Events!