Solved: Re: I want to specify a field which contains time ...

bapun18 · ‎04-18-2022

I want to specify a field that contains time as earliest and another field as latest so that my spl will be executed with the earliest value of the earliest value of fileld1 and latest value as the latest value of the filed 2.

Example,
index=abcd
|table starttimeUTC endtimeutc

in the above search should run as earliest=<earlier value of tarttimeUTC> and latest=<latest value of endtimeutc>

gcusello · ‎04-18-2022

Hi @bapun18,

if you want to use your fields, you can rename them but in the main search you have to use earliest and latest, not other field names, so if in your data you have starttimeUTC and endtimeutc, you could use something like this:

your_main_search [ search index=abcd | stats earliest(starttimeUTC) AS earliest latest(endtimeutc) AS latest ]
| ....

Ciao.

Giuseppe

View solution in original post

gcusello · ‎04-18-2022

Hi @bapun18,

you should try to use a simple search like this:

your_main_search [ search index=abcd | stats earliest(_time) AS earliest latest(_time) AS latest ]
| ....

it's important that you use the field names earliest and latest in the main search.

Ciao.

Giuseppe

gcusello · ‎04-18-2022

Hi @bapun18,

if you want to use your fields, you can rename them but in the main search you have to use earliest and latest, not other field names, so if in your data you have starttimeUTC and endtimeutc, you could use something like this:

your_main_search [ search index=abcd | stats earliest(starttimeUTC) AS earliest latest(endtimeutc) AS latest ]
| ....

Ciao.

Giuseppe

I want to specify a field which contains time as earliest and another field as latest so that my spl will be executed..

eval

fields

metadata

stats

subsearch

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!