Hi Legends,

Need help in displaying start time, when error occurred and end time when it got resolved , in separate column. Currently they are getting displayed in same column like below :

Please let me know how can i modify my query to display results like below:

My Query :

index=test sourcetype="*" STATUS_REASON_CODE IN (U220, U902, U904, U905, Z704, Z900, Z902, Z903, Z904, Z910, Z911, Z912, Z913, Z914, Z920, Z922, Z923, Z924) STATE = FAILED | fields STATE _time STATUS_REASON_CODE | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(_time) AS Time | convert timeformat="%Y-%m-%d" ctime(_time) AS TimeDay | eval FailTime=case(field_name="Failure Time", _time) | eval ReasonCode=case(field_name="Reason Code", STATUS_REASON_CODE) | eval State=case(field_name="State", STATE) | eval minTime = (min(Time)) | rename STATUS_REASON_CODE as REASON_CODE | sort - Time | table STATE TimeDay minTime REASON_CODE