Splunk Search

How do i pick the first and last value in a table with one column

khalidpunk
New Member

I am doing a CTF that provides logs to filter and work through, one of the questions asks for the time period between when the brute force attack was carried out and the last requests that was sent 

To find the first timestamp I used
``` index=botsv1 imreallynotbatman.com source="stream:http" form_data=*username*passwd* | regex "passwd=batman"| table _time | sort by _time | head 1```
similar to that I used 
```

index=botsv1 imreallynotbatman.com source="stream:http" form_data=*username*passwd* | regex "passwd=batman"| table _time | sort by _time | tail 1```

each search query works fine by itself but when used together they don't, also when trying to use ``` eval start_time = index=botsv1 imreallynotbatman.com source="stream:http" form_data=*username*passwd* | regex "passwd=batman"| table _time | sort by _time | head 1``` throws and error 

Error """ : Comparator '=' has an invalid term on the left hand side: start_time=index.""" 
how do I chose the first and last datetime form the table created without using two queries 

Labels (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
index=botsv1 imreallynotbatman.com source="stream:http" form_data=*username*passwd* | regex "passwd=batman"
| stats earliest(_time) as start latest(_time) as end
0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...