Help using earliest, latest and finding the first ...

xploresplunk · ‎06-15-2019

I have 7 different fields that I need to get information from in different ways. They're all under the same index, source and sourcetype. Here are the 7 fields and the 7 different things that I need to achieve:

Field1: I need to go through the logs of this Field and find the EARLIEST time one of the values inside this field contains the word "Example1"
Field2: same as in Field1 but I need to go through Field2 and find the EARLIEST time the word “example2” is in one of its values.
Field3: find the EARLIEST value of Field3.
Field4: find the LATEST value of Field4
Field5: find the LATEST value of Field4.
Field6: I need to go through the values of this Field and find the LATEST time one of the values inside this field contains the word "Example6"
Field7: same as Field6 but I need to go through Field7 and find LATEST occurrence of the word “example7”.

I want to store each of these times acquired in each field as different values. My goal is to have a table displaying the times I found for each occurrence.
Further, some of the fields may not contain the world I'm looking for so I want it to stay blank. I do not want to restrict the number of events.

jnudell_2 · ‎06-17-2019

You can try this:

index=myindex ("example1" OR "example2" OR "event3" OR "event4" OR "event5" OR "example6" OR "example7")

| eval type = case(match(_raw, "example1"), "Event1", match(_raw, "example2"), "Event2", match(_raw, "event3"), "Event3", match(_raw, "event4"), "Event4", match(_raw, "event5"), "Event5", match(_raw, "example6"), "Event6", match(_raw, "example7"), "Event7")

| stats earliest(eval(strftime(case(type=="Event1", _time), "%F %T"))) as EarliestEvent1, earliest(eval(strftime(case(type=="Event2", _time), "%F %T"))) as EarliestEvent2, earliest(eval(strftime(case(type=="Event3", _time), "%F %T"))) as EarliestEvent3, latest(eval(strftime(case(type=="Event4", _time), "%F %T"))) as LatestEvent4, latest(eval(strftime(case(type=="Event5", _time), "%F %T"))) as LatestEvent5, latest(eval(strftime(case(type=="Event6", _time), "%F %T"))) as LatestEvent6, latest(eval(strftime(case(type=="Event7", _time), "%F %T"))) as LatestEvent7

Here is what it will look like with some dummy data:

Without more detail of what exactly you're looking for and a sample of data / mock-up of what you want to see, it's difficult to provide what you're looking for.

xploresplunk · ‎06-17-2019

I've updated the question. Sorry for the confusion. I cannot provide sample data as it contains sensitive information. Again, Im so sorry for the confusion. I'm a new user and confused myself with the terminology

jnudell_2 · ‎06-17-2019

You can provide sample data, with all sensitive information masked out.

xploresplunk · ‎06-18-2019

I've added a picture and I highlighted the word that I'm trying to get the time of (In that case, the earliest)

xploresplunk · ‎06-27-2019

This doesnt work. Earliestevent1,2,3 are displaying the same time. Utilizing earliest(_time) works for me, but when I use it twice the time doesn't update. For example if the first occurrence of the word "example1" is at 1:22 and the first occurrence of the word "example2" is at 1:07 then both store 1:07 as the time stamp. Is there any way to fix this? Can I clear earliest(_time)? I want to get the first time that "event1" was written and the first time "event2" was written and save them in two different values. Im trying to create a timeline so I need the specific times for each.

jkat54 · ‎06-17-2019

Event1: I need to go through the logs of this event and find the EARLIEST occurrence of the word “example1” in one of the paragraphs it contains.

index=yourindex "example1" | stats earliest(_time) as earliest | convert ctime(earliest)
Event2: same as Event1 but I need to go through event2 and find EARLIEST occurrence of the word “example2”.
```
 index=yourindex "example2" | stats earliest(_time) as earliest | convert ctime(earliest) 
```

Event3: find the EARLIEST log of event3.

 index=yourindex "event3" | stats earliest(_time) as earliest | convert ctime(earliest)

Event4: find the LATEST log of event4

 index=yourindex "event4" | stats latest(_time) as latest| convert ctime(latest)

Event5: find the LATEST log of event [5].

 index=yourindex "event5" | stats latest(_time) as latest| convert ctime(latest)

Event6: I need to go through the logs of this event and find the LATEST occurrence of the word “example6” in one of the paragraphs it contains.
```
 index=yourindex "event6" "example6" | stats latest(_time) as latest| convert ctime(latest) 
```
Event7: same as Event6 but I need to go through event7 and find LATEST occurrence of the word “example7”.
```
 index=yourindex "event6" "example7" | stats latest(_time) as latest| convert ctime(latest) 
```

xploresplunk · ‎06-27-2019

Utilizing earliest(_time) works for me, but when I use it twice the time doesn't update. For example if the first occurrence of the word "example1" is at 1:22 and the first occurrence of the word "example2" is at 1:07 then both store 1:07 as the time stamp. Is there any way to fix this? Can I clear earliest(_time)?

jkat54 · ‎06-27-2019

You can use stats min(_time} as earliest | concert ctime(earliest)

Or several as long as you use "as" clause to rename it.

xploresplunk · ‎06-27-2019

Could you refer to this post? https://answers.splunk.com/answers/755758/using-join-earliest-table-and-latest.html?minQuestionBodyL...

It explains my issue a little bit more. I tried using min and it still doesnt work. Thank you so much

woodcock · ‎06-15-2019

I agree with the other comments. Use the terms correctly, provide sample data, and a mockup of the desired final output. It looks like perhaps when you wrote event, you meant sourcetype?

xploresplunk · ‎06-18-2019

I've added a picture and I highlighted the word that I'm trying to get the time of (In that case, the earliest)

xploresplunk · ‎06-27-2019

I was able to figure out a lot of it. I'm running into a problem when using earliest(_time) several times: https://answers.splunk.com/answers/755758/using-join-earliest-table-and-latest.html?minQuestionBodyL...

jnudell_2 · ‎06-15-2019

Your explanation is very confusing, and I think you are using the wrong terminology.

Sample data would be extremely helpful.

Questions:
- What is event1 (event2, event3, ... event7) ?

- Is that a particular event that happens in a log somewhere?

- How can you uniquely identify event1?

- Is there an event code you can reference?
- What is your overall goal for all of these searches?
- Are you creating alerts?
- Are you creating a report?
- Do you want to display results in a dashboard?

Providing context as well as sample data well go a long way in allowing others to consider options for your request.

xploresplunk · ‎06-17-2019

I've updated the question. Let me know if you have any questions. Sorry for the confusion.

richgalloway · ‎06-15-2019

Please provide some sample data.

---
If this reply helps you, Karma would be appreciated.

Help using earliest, latest and finding the first occurrence of string

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...