Splunk Search
Highlighted

How can I modify my search to filter and display only the first and second value?

Builder

search :- My search | stats values(datehour) as Accesstime by user

The above search displays the user id with their accesses hour on the right. Now how can i display only the 1st value and last value of Access_time for each user.

Example if I have the result as below

user Access_time
A 16
18
19
22

Now I just want the first and last value of the Access_time as below

user Access_time
A 16 -- 22

0 Karma
Highlighted

Re: How can I modify my search to filter and display only the first and second value?

Super Champion
My search | stats earliest(date_hour) as FirstHour latest(date_hour) as LastHour by user|eval accessTime=FirstHour+"--"+LastHour|fields - FirstHour - LastHour

try something like this.

View solution in original post

0 Karma
Highlighted

Re: How can I modify my search to filter and display only the first and second value?

Builder

Thanks for the responce. Now Can you help me calcullating the standard deviation for the last 7 days. Where standard_deviation is if accessTime is 3 times standard deviation of average?

0 Karma