Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a way to have the 1st timestamp and last timestamp to be in the same row? Please check below example

newbie09
Explorer
‎08-02-2019 08:03 PM

Currently, i have the below result of the search. It is returning the servername,errorcode and the timestamp.
What my objective is to have the 1sttimestamp and lasttimestamp of the server 1 error with the given errocode 50 to be on the same row of the result.
If the error only appears once, then the 1sttimestamp and the lasttimestamp will be the same.

Before:
servername ErrorCode Time
Server1 50 2019-08-03 01:24:05
Server2 50 2019-08-03 01:23:05
server1 50 2019-08-03 01:22:05

After:
servername ErrorCode Lastest Time First_Error_Time
Server1 50 2019-08-03 01:24:05 2019-08-03 01:22:05
Server2 50 2019-08-03 01:23:05 2019-08-03 01:23:05

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎08-02-2019 09:45 PM

@newbie09,

Try

"your search" |stats latest(_time) as LatestTime,earliest(_time) as Earliest by servername, ErrorCode

You may change the time format using ctime or strftime

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎08-02-2019 09:45 PM

@newbie09,

Try

"your search" |stats latest(_time) as LatestTime,earliest(_time) as Earliest by servername, ErrorCode

You may change the time format using ctime or strftime

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

newbie09
Explorer
‎08-03-2019 01:02 AM

Thank you @renjith.nair

working!!!!

0 Karma
Reply
Solved! Jump to solution

newbie09
Explorer
‎08-03-2019 12:00 AM

thanks renjith!!! i'll try and let you know.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...