How to count min max time by user?

t874560 · ‎05-02-2020

Hello,

I am trying to pull min and max time for each user:

index="iptv_rdkb" [|inputlookup usersfile.csv]
| fields _time Source device.make model userId
| stats count by Source make model userId _time
| eventstats max(_time) AS max min(_time) AS min
| eval max=strftime(max, "%Y/%m/%d %T.%3Q")
| eval min=strftime(min, "%Y/%m/%d %T.%3Q")
| stats earliest(min) as min earliest(max) as max first(make) as make first(model) as model first(userId) as user by userId

Results:

Source min max make model userid
b661834 2020-04-10 2020/04/10 TECHN xyz 1
b654623 2020-04-10 2020/04/10 TECHN xyz 2
b637895 2020-04-10 2020/04/10 TECHN xyz 3

This search gives me the same time for each record. For example, if minimum time is 2020-04-10 in any of the records, it will give this date/time in every record instead of giving min-max of that specific user.

I need min and max for each specific user.

Please help.

Vijeta · ‎05-05-2020

@t874560 Use this search

 index="iptv_rdkb" [|inputlookup usersfile.csv]
 | fields _time Source device.make model userId
 | stats count by Source make model userId _time
 | eventstats max(_time) AS max min(_time) AS min by userId
 | eval max=strftime(max, "%Y/%m/%d %T.%3Q")
 | eval min=strftime(min, "%Y/%m/%d %T.%3Q")
 | stats earliest(min) as min earliest(max) as max first(make) as make first(model) as model first(userId) as user by userId

to4kawa · ‎05-02-2020

eventstats can use by clause.

How to count min max time by user?

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Join the Conversation

How to count min max time by user?

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits