Solved: Re: Trying to determine min/max date/time for a li...

dbuckley669 · ‎01-18-2021

My search returns a table of a count of ip addresses that have hit our system in a given search period. I am trying to determine what the earliest time and most recent time was for each ip address.

index=myIndex host=mySrvr sourcetype=mysource | stats count by s_ipad, r_ip_country, |Fields s_ipad, r_ip_country. min(_time),max(_time) count | search count>=15 |sort -count

The table of data returns the top 15 ip address and country of origin, however the min(_time) and max(_time) are empty. Any help would be appreciated.

Thanks.

saravanan90 · ‎01-18-2021

This may help...

index=myIndex host=mySrvr sourcetype=mysource | stats count,min(_time),max(_time) by s_ipad, r_ip_country | search count>=15 |sort -count

View solution in original post

Taruchit · ‎09-15-2021

Hello Sir,

Based on the topic, I am trying to fetch the first time and the last time an error occurred in application logs, and thus used following query: -

index="dummy" (search condition) |rex ...(?<error>.*?)...|stats count, min(_time), max(_time) by error

I got for columns in results: error, count, min(_time) and max(_time).

However, in column min(_time) and max(_time) I am getting values like: -
1631484056.103, 1631501959.541 respectively.

Thus, I need your help to convert results of the two columns in readable format.

Thank you

saravanan90 · ‎01-18-2021

This may help...

index=myIndex host=mySrvr sourcetype=mysource | stats count,min(_time),max(_time) by s_ipad, r_ip_country | search count>=15 |sort -count

dbuckley669 · ‎01-18-2021

Search query worked perfect. Thank you.

Trying to determine min/max date/time for a list of ip addresses

other

Observability | How to Think About Instrumentation Overhead (White Paper)

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

The Great Resilience Quest: 10th Leaderboard Update