Solved: Splunk Data sorting

ringbbg · ‎07-18-2017

HI Everyone.

I am trying to put in table format some alarm data in our enterprise network with the query below.

      <query>sourcetype=ntwkalrt "12924" "Connection refused" "TCPSocket" | table _time, machine, Feed, IP, PORT, log | sort 0 -_time</query>
      <earliest>$_time.earliest$</earliest>
      <latest>$_time.latest$</latest>

I am able to get all the data, but I would like to display the alarms the first time they occured and the most recent one. With the syntax above, It displays everything and there are a lot of duplicates. Is there a way to do that?

Thanks.

woodcock · ‎07-18-2017

Like this:

index=YouShouldAlwaysSpecifyAnIndex sourcetype=ntwkalrt "12924" "Connection refused" "TCPSocket"
| stats min(_time) AS first_time max(_time) AS last_time BY machine Feed IP Port log

View solution in original post

woodcock · ‎07-18-2017

Like this:

index=YouShouldAlwaysSpecifyAnIndex sourcetype=ntwkalrt "12924" "Connection refused" "TCPSocket"
| stats min(_time) AS first_time max(_time) AS last_time BY machine Feed IP Port log

Splunk Data sorting

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Join the Conversation

Splunk Data sorting

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...