Splunk Search

How to group records and find the max/min per group?

splunkos
New Member

Hello!

Can I ask something very basic as it will help me get started quickly?

How can I structure a query to:

1) group records by a [Field1]

2) calculate max and min [Date] for each group of the above (i.e. unique value of [Field1])

 3) calculate the difference between max and min [Date] from above

Thanks!

Labels (2)
0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@splunkos - Easy below is how you can do that.

 

index=<search for your data>
| stats min(Date) as min_Date, max(Date) as max_Date BY Field1
``` stats command groups the data as you need. After the BY keyword is what you need to group with. Before the BY keyword is different functions you can use.```
| eval difference = max_Date - min_Date
``` Difference between max and min Date```

 

 

Here ``` is comments for your understanding ```

stats command reference - https://docs.splunk.com/Documentation/Splunk/9.0.3/SearchReference/Stats

eval command reference - https://docs.splunk.com/Documentation/Splunk/9.0.3/SearchReference/Eval 

 

I hope this helps!!! Kindly upvote if this helps!!!

Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...