I'm trying to figure out a search that will parse through all events from a specific sourcetype.
For each unique value from a field (for example users=example), I want to calculate and display in a new column the time difference between the oldest and the newest event (field name is _time).
Here is what I've been trying to do and doesn't work.
user=* action=failure |foreach user [eval dif=max(_time)-min(_time)] | table user , dif , src
Try this query.
index=foo sourcetype=bar | stats range(_time) as dif by field | table field, dif
Try this query (After you will adjust it to you data of course) :
index=_internal sourcetype=splunkd | fields log_level | stats dc by log_level | map search="search index=_internal sourcetype=splunkd log_level=$log_level$ | stats min(_time) as min max(_time) as max by log_level | eval diff=(max-min)/86400 | fields diff log_level"
log_level = users