Splunk Search

Is there a way to have the 1st timestamp and last timestamp to be in the same row? Please check below example

newbie09
Explorer

Currently, i have the below result of the search. It is returning the servername,errorcode and the timestamp.
What my objective is to have the 1sttimestamp and lasttimestamp of the server 1 error with the given errocode 50 to be on the same row of the result.
If the error only appears once, then the 1sttimestamp and the lasttimestamp will be the same.

Before:
servername ErrorCode Time
Server1 50 2019-08-03 01:24:05
Server2 50 2019-08-03 01:23:05
server1 50 2019-08-03 01:22:05

After:
servername ErrorCode Lastest Time First_Error_Time
Server1 50 2019-08-03 01:24:05 2019-08-03 01:22:05
Server2 50 2019-08-03 01:23:05 2019-08-03 01:23:05

0 Karma
1 Solution

renjith_nair
Legend

@newbie09,

Try

"your search" |stats latest(_time) as LatestTime,earliest(_time) as Earliest by servername, ErrorCode

You may change the time format using ctime or strftime

Happy Splunking!

View solution in original post

0 Karma

renjith_nair
Legend

@newbie09,

Try

"your search" |stats latest(_time) as LatestTime,earliest(_time) as Earliest by servername, ErrorCode

You may change the time format using ctime or strftime

Happy Splunking!
0 Karma

newbie09
Explorer

Thank you @renjith.nair

working!!!!

0 Karma

newbie09
Explorer

thanks renjith!!! i'll try and let you know.

0 Karma
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...