Splunk Search

Using both earliest(_time) and latest(_time) together in a search is returning the same value for both.

jt1234567
Loves-to-Learn

Hi, so I am trying to record the Earliest connection for IP addresses and the Latest connection for IP addresses however when trying to use both the earliest(_time) and latest(_time) command it seems that my latest(_time) command is overwriting my earliest(_time) value. Any reason for why this is happening and a potential fix? My code is as follows:

| datamodel Network_Traffic All_Traffic search | search 

All_Traffic.src_ip="172.18.*" OR
All_Traffic.src_ip="172.19.*" OR
All_Traffic.src_ip="172.20.*" OR

| dedup All_Traffic.src_ip | eventstats earliest(_time) AS Earliest, latest(_time) as Latest by All_Traffic.src_ip | eval Earliest = strftime(Earliest,"%m/%d/%Y:%H:%M:%S") | eval Latest = strftime(Latest, "%m/%d/%Y:%H:%M:%S")
| table All_Traffic.src_ip  Earliest Latest

 

Labels (1)
Tags (2)
0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@jt1234567 

I think the reason is the dedup command.

| dedup All_Traffic.src_ip

 

After this you will have a single record of each All_Traffic.src_ip.

Then eventstats command is there by All_Traffic.src_ip. The evntstats will not change your basic fields like _time, bcoz there is only one record for all All_Traffic.src_ip.

So not sure but you can try below searches.

| datamodel Network_Traffic All_Traffic search | search 
All_Traffic.src_ip="172.18.*" OR
All_Traffic.src_ip="172.19.*" OR
All_Traffic.src_ip="172.20.*" OR
| eventstats earliest(_time) AS Earliest, latest(_time) as Latest by All_Traffic.src_ip 
| dedup All_Traffic.src_ip 
| eval Earliest = strftime(Earliest,"%m/%d/%Y:%H:%M:%S") | eval Latest = strftime(Latest, "%m/%d/%Y:%H:%M:%S")
| table All_Traffic.src_ip  Earliest Latest

 

I would also like to suggest you to go with tstats if possible.

| tstats count from datamodel=Network_Traffic All_Traffic search 
| where (All_Traffic.src_ip="172.18.*" OR All_Traffic.src_ip="172.19.*" OR All_Traffic.src_ip="172.20.*")
| stats earliest(_time) AS Earliest, latest(_time) as Latest by All_Traffic.src_ip 
| eval Earliest = strftime(Earliest,"%m/%d/%Y:%H:%M:%S") | eval Latest = strftime(Latest, "%m/%d/%Y:%H:%M:%S")
| table All_Traffic.src_ip  Earliest Latest

 

Note: These search are not accurate you have to do minor changes as per your requirement.

 

https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Tstats

 

KV

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.