How can I use multiple fields and values by differ...

hyungjoon · ‎12-07-2018

Hello,

Here is my question:

Suppose I have 4 fields, and I want to find the recorded time of each step using conditions of the fields.

But, because there is different time and multiple fields involved, I cannot seem to get the result I want

can someone please help me?

kmaron · ‎12-07-2018

try this:

| eval step1_time = case(jobtype=delivery AND status=pending,Time1)
| eval step2_time = case(jobtype=delivery AND status=pending,Time1)
| eval step3_time = case(jobtype=delivery AND (status=delivered OR status=delivery_failed),Time2)
| eval step4_time = case(jobtype=delivery AND (status=delivered OR status=delivery_failed),Time2)
| eval step5_time = case(jobtype=delivery AND status=deposited,Time2)
| eval step6_time = case(jobtype=delivery AND status=deposit_failed,Time2)
| stats earliest(step1_time) as step1 latest(step2_time) as step2 earliest(step3_time) as step3 latest(step4_time) as step4 earliest(step5_time) as step5 latest(step6_time) as step6

How can I use multiple fields and values by different fields of time?

Observe and Secure All Apps with Splunk

What's New in Splunk Observability - August 2025

Introduction to Splunk AI

Are you a member of the Splunk Community?

How can I use multiple fields and values by different fields of time?

Observe and Secure All Apps with Splunk

What's New in Splunk Observability - August 2025

Introduction to Splunk AI