How to group records and find the max/min per grou...

splunkos · ‎01-22-2023

Hello!

Can I ask something very basic as it will help me get started quickly?

How can I structure a query to:

1) group records by a [Field1]

2) calculate max and min [Date] for each group of the above (i.e. unique value of [Field1])

3) calculate the difference between max and min [Date] from above

Thanks!

VatsalJagani · ‎01-22-2023

@splunkos - Easy below is how you can do that.

index=<search for your data>
| stats min(Date) as min_Date, max(Date) as max_Date BY Field1
``` stats command groups the data as you need. After the BY keyword is what you need to group with. Before the BY keyword is different functions you can use.```
| eval difference = max_Date - min_Date
``` Difference between max and min Date```

Here ``` is comments for your understanding ```

stats command reference - https://docs.splunk.com/Documentation/Splunk/9.0.3/SearchReference/Stats

eval command reference - https://docs.splunk.com/Documentation/Splunk/9.0.3/SearchReference/Eval

I hope this helps!!! Kindly upvote if this helps!!!

How to group records and find the max/min per group?

fields

stats

Detecting Brute Force Account Takeover Fraud with Splunk

Buttercup Games: Further Dashboarding Techniques (Part 9)

Buttercup Games: Further Dashboarding Techniques (Part 8)

Are you a member of the Splunk Community?