Solved: How do I create a Dashboard that shows earliest an...

gmasca · ‎12-04-2018

Hi,

I am new to Splunk and I am trying the following, but I can't find how.

I need to create a dashboard showing the results of pooling on a value from multiple devices.

I like to show in the same line device, earliest result, and oldest result.

I can make the list of results and merge them into one line per device, but not separate the earliest and oldest results in columns

Example:
Data from the pooling
host1, value 1, time: 1/12/2018 11:00
host2, value 2, time: 1/12/2018 11:00
host1, value 3, time: 1/12/2018 11:05
host2, value 4, time: 1/12/2018 11:05

Dashboard:
host / earlist / oldest
host1 / 3 / 1
host2 / 4 / 2

Any help is much appreciated.
Thank you,

whrg · ‎12-04-2018

Hi!
Try this:

basesearch | stats earliest(value) as earliest latest(value) as oldest by host

View solution in original post

whrg · ‎12-04-2018

Hi!
Try this:

basesearch | stats earliest(value) as earliest latest(value) as oldest by host

gmasca · ‎12-04-2018

Thanks! It worked.

How do I create a Dashboard that shows earliest and oldest values?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?