Splunk Search

How do you make a date and time comparison in field values based on a condition?

Path Finder

Hello everyone,

I need your help in date\time comparison in table field itself.

Lets suppose, any key value goes into status as "In QA" after completing Status as "In Dev" with some date\time and then again due to some issues which will be identified later on, same key value status changed again into 'In QA" Status.

I am looking for the date\time when Status changed into "In Dev" for the second time.

I have attached a screenshot on the below URL.


Thank you all for any help in advance!

Tags (2)
0 Karma

Path Finder

Hi Everyone, Please advise on this request.

Thank you!

0 Karma

Path Finder

Hello Everyone,

Please help me with the solution. If explanation is not much clear then I can try more.


0 Karma


Are you just trying to find all tickets where it's not their first time being "In Dev"? If so, I think you could use a combination of

| stats EARLIEST(update_final) AS earliest_update_final, LATEST(update_final) AS latest_update_final BY key
| search earliest_update_final != latest_update_final

0 Karma

Path Finder

I am looking for the date\time when any key value status changed 2nd time in "In Dev" status which is "11-07-2018 09:09:56" in the screenshot.

It is required to show metric as how many keys was failed when then crossed "In Dev" status and when status was changed from "In Dev" to 'In QA" and done testing again and it got failed. Now again status moved to "In Dev " status from "In QA" status.

Thank you for your help on this.

0 Karma

hi @vikas_baranwal

am not clear what do you want.can you explain properly.

try like this |where key="CORE-36256" and status="In Dev" |stats latest(update_final) as second_time

0 Karma

Path Finder

Hi Hari,

In screenshot, If you can which I have highlighted in yellow and red.


Normally process is for any key value status change is

"Ready for Dev" ---> "In Dev" ---> "In QA' ---> Done

But when any issue find out in "In QA" status then again key status roll-back into "In Dev" and complete cycle again.

Ready for Dev ---> In Dev ---> In QA ---> Ready for Dev ---> In Dev ---> In QA ---> Done

I am here looking for date\time when status changes into "In Dev" status 2nd time.

0 Karma