Solved: Splunk Data sorting

ringbbg · ‎07-18-2017

HI Everyone.

I am trying to put in table format some alarm data in our enterprise network with the query below.

      <query>sourcetype=ntwkalrt "12924" "Connection refused" "TCPSocket" | table _time, machine, Feed, IP, PORT, log | sort 0 -_time</query>
      <earliest>$_time.earliest$</earliest>
      <latest>$_time.latest$</latest>

I am able to get all the data, but I would like to display the alarms the first time they occured and the most recent one. With the syntax above, It displays everything and there are a lot of duplicates. Is there a way to do that?

Thanks.

woodcock · ‎07-18-2017

Like this:

index=YouShouldAlwaysSpecifyAnIndex sourcetype=ntwkalrt "12924" "Connection refused" "TCPSocket"
| stats min(_time) AS first_time max(_time) AS last_time BY machine Feed IP Port log

View solution in original post

woodcock · ‎07-18-2017

Like this:

index=YouShouldAlwaysSpecifyAnIndex sourcetype=ntwkalrt "12924" "Connection refused" "TCPSocket"
| stats min(_time) AS first_time max(_time) AS last_time BY machine Feed IP Port log

Splunk Data sorting

Splunk Answers Content Calendar, June Edition

What You Read The Most: Splunk Lantern’s Most Popular Articles!

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Are you a member of the Splunk Community?

Splunk Data sorting

Splunk Answers Content Calendar, June Edition

What You Read The Most: Splunk Lantern’s Most Popular Articles!

See your relevant APM services, dashboards, and alerts in one place with the updated ...