Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to get the first event time and last event time for field value

SathyaNarayanan
Path Finder
‎08-05-2019 11:27 PM

Hi Splunkers,

My events will look like below.

2019-08-06 10:14:00 TYPE="PLB_1", STATUS="true", CAR="A", PLACE="ABC"
2019-08-06 10:16:00 TYPE="PLB_1", STATUS="false", CAR="A", PLACE="ABC"
2019-08-06 10:19:00 TYPE="PLB_1", STATUS="true", CAR="A", PLACE="ABC"
2019-08-06 10:25:00 TYPE="PLB_1", STATUS="false", CAR="A", PLACE="ABC"
2019-08-06 10:40:00 TYPE="PLB_1", STATUS="false", CAR="C", PLACE="ABC"
2019-08-06 10:49:00 TYPE="PLB_1", STATUS="false", CAR="C", PLACE="ABC"
2019-08-06 10:50:00 TYPE="PLB_2", STATUS="false", CAR="B", PLACE="DEF"
2019-08-06 11:14:00 TYPE="PLB_2", STATUS="false", CAR="B", PLACE="DEF"
2019-08-06 11:25:00 TYPE="PLB_2", STATUS="false", CAR="B", PLACE="DEF"

Now i need to get the when the first status as true time till and last status time it was falst as per the PLACE

So i tried transaction command to combine it startswith=STATUS="true" endswith=STATUS="false" , but in my case status will be changed many time, i need to get the first and last STATUS time.

Eg: I need to know from time and End time the CAR was parked in that place, so tat i can calculate the duration of parking per PLACE and TYPE perCAR.

Thanks in advance.

Tags (1)
0 Karma
Reply

niketn
Legend
‎08-06-2019 01:30 AM

@SathyaNarayanan try the following run anywhere example. You can play around with the search filter as per your need.

| makeresults 
| eval data="2019-08-06 10:14:00 TYPE=\"PLB_1\", STATUS=\"true\", CAR=\"A\", PLACE=\"ABC\";2019-08-06 10:16:00 TYPE=\"PLB_1\", STATUS=\"false\", CAR=\"A\", PLACE=\"ABC\";2019-08-06 10:19:00 TYPE=\"PLB_1\", STATUS=\"true\", CAR=\"A\", PLACE=\"ABC\";2019-08-06 10:25:00 TYPE=\"PLB_1\", STATUS=\"false\", CAR=\"A\", PLACE=\"ABC\";2019-08-06 10:40:00 TYPE=\"PLB_1\", STATUS=\"false\", CAR=\"C\", PLACE=\"ABC\";2019-08-06 10:49:00 TYPE=\"PLB_1\", STATUS=\"false\", CAR=\"C\", PLACE=\"ABC\";2019-08-06 10:50:00 TYPE=\"PLB_2\", STATUS=\"false\", CAR=\"B\", PLACE=\"DEF\";2019-08-06 11:14:00 TYPE=\"PLB_2\", STATUS=\"false\", CAR=\"B\", PLACE=\"DEF\";2019-08-06 11:25:00 TYPE=\"PLB_2\", STATUS=\"false\", CAR=\"B\", PLACE=\"DEF\";"
| makemv data delim=";"
| mvexpand data
| rename data as _raw
| rex "^(?<time>[^\s]+\s[^\s]+)\s"
| eval _time=strptime(time,"%Y-%m-%d %H:%M:%S")
| fields - time
| KV
| sort _time
| stats min(_time) as _time max(_time) as LatestTime first(STATUS) as FirstStatus last(STATUS) as LastStatus values(STATUS) as STATUS by TYPE
| search FirstStatus="true" AND LastStatus=false STATUS IN ("true","false")
| eval duration=tostring(LatestTime-_time,"duration")
| fields - LatestTime

PS: Commands from | makeresults till | sort _time generate data as per your use case. Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply

SathyaNarayanan
Path Finder
‎08-06-2019 11:24 PM

@niketnilay

thanks,

It worked for me, now i have one more doubt, for example when the park in not used for some time in between, the duration calculates that also, how to more accurate in the duration.

Eg:-

10:00 - True
10:15 - false
10:20 - True
10:23 - False
10:26 - True
10:50 - False

i need to calculate 10:00 to 10:15. then 10:20 to 10:23 and 10:26 to 10:50 , so the duration will be 15 + 3 + 24 = 42.

As per your query it will be 10:00 to 10:50 , so duration will be 50 mins.

thanks in advance

0 Karma
Reply

jawaharas
Motivator
‎08-06-2019 12:17 AM

Bit more clarification will make it easy to help you.

It's unclear from below statement, how you gonna find start and end time of car parking.

"So i tried transaction command to combine it startswith=STATUS="true" endswith=STATUS="false" , **but in my case status will be changed many time, i need to get the first and last STATUS time."

0 Karma
Reply

SathyaNarayanan
Path Finder
‎08-06-2019 01:03 AM

I need to start and end time , by First when status was true and last when status was false, i need to ignore between changes.

Eg:
10:00 - True
10:15 - false
10:20 - True
10:23 - False
10:26 - True
10:50 - False

I need to calculate first event as 10:00 and last even as 10:50 , duration wil be 50 mins.
To get it , i need unique value as car details in all events

I need to know how to get it.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...