Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I create extract the earliest and latest times for current search and create fields for them?

jedatt01
Builder
‎03-09-2016 12:33 PM

I would like to display the original earliest and latest of a search as fields in my table results. My query below.

index=myindex msg_severity=ERROR | timechart span=15m count by field_TEXT  | untable _time field_TEXT count | eval count = if(count=0,1,count) | streamstats window=2 global=f current=t first(count) As p_count by field_TEXT | eval percent_change=((count-p_count)/(p_count))*100

I would like to add something like this to the end of my search to show the earliest and latest of the search on every row

| eval start=$earliest | eval end=$latest

Is this possible?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

javiergn
SplunkTrust
SplunkTrust
‎03-09-2016 12:55 PM

You can use the addinfo command for that:

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Addinfo

Reply
Solved! Jump to solution

jedatt01
Builder
‎03-09-2016 01:14 PM

Exactly what i needed!

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...

Security Newsletter Updates | March 2023

 March 2023 | Check out the latest and greatestUnify Your Security Operations with Splunk Mission Control The ...

Platform Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestIntroducing Splunk Edge Processor, simplified data ...