My search returns a table of a count of ip addresses that have hit our system in a given search period. I am trying to determine what the earliest time and most recent time was for each ip address.
index=myIndex host=mySrvr sourcetype=mysource | stats count by s_ipad, r_ip_country, |Fields s_ipad, r_ip_country. min(_time),max(_time) count | search count>=15 |sort -count
The table of data returns the top 15 ip address and country of origin, however the min(_time) and max(_time) are empty. Any help would be appreciated.
Thanks.
This may help...
index=myIndex host=mySrvr sourcetype=mysource | stats count,min(_time),max(_time) by s_ipad, r_ip_country | search count>=15 |sort -count
Hello Sir,
Based on the topic, I am trying to fetch the first time and the last time an error occurred in application logs, and thus used following query: -
index="dummy" (search condition) |rex ...(?<error>.*?)...|stats count, min(_time), max(_time) by error
I got for columns in results: error, count, min(_time) and max(_time).
However, in column min(_time) and max(_time) I am getting values like: -
1631484056.103, 1631501959.541 respectively.
Thus, I need your help to convert results of the two columns in readable format.
Thank you
This may help...
index=myIndex host=mySrvr sourcetype=mysource | stats count,min(_time),max(_time) by s_ipad, r_ip_country | search count>=15 |sort -count
Search query worked perfect. Thank you.