Solved: Earliest entry for each host

pitmod · ‎10-15-2020

Hello,

In my lookup I have the following data:

_time='2020-10-21 15:00' usage='1' host='A'
_time='2020-10-26 15:00' usage='2' host='B'
_time='2020-10-21 16:00' usage='3' host='A'
_time='2020-10-23 18:00' usage='4' host='A'
_time='2020-10-24 15:00' usage='2' host='B'

I want to get only the earliest entry for each host so it will look like this:

host='A' _time='2020-10-21 15:00' usage='1'
host='B' _time='2020-10-24 15:00' usage='2'

How can I do it?

thambisetty · ‎10-15-2020

| stats earliest(_time) as _time earliest(usage) as usage by host

————————————
If this helps, give a like below.

View solution in original post

thambisetty · ‎10-15-2020

| stats earliest(_time) as _time earliest(usage) as usage by host

————————————
If this helps, give a like below.

Earliest entry for each host

lookup

stats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Automating Threat Operations and Threat Hunting with Recorded Future

Keep the Learning Going with the New Best of .conf Hub

Splunk Community Badges!

Join the Conversation