Solved: on list of _time values how to get start and end t...

Sivakesava574 · ‎02-26-2021

my search query returns list of _time values for multiple dates and below is start and end times for a each date

2021-02-23 12:27:13.173

2021-02-23 16:18:20.129

2021-02-24 09:18:06.191

2021-02-24 13:22:48.285

2021-02-25 09:02:38.042

2021-02-25 13:04:52.313

in the above list i need to display like below. i have tried multiple ways but unable to get the output in below format. is there any i can extract like below

Date	Start_time	End_time	difference in minutes
2/23/2021	2/23/21 12:27	2/23/21 16:18	231.11593

ITWhisperer · ‎02-26-2021

| eval date=strftime(_time,"%Y-%m-%d")
| stats earliest(_time) as start_time latest(_time) as end_time by date
| eval difference=(end_time-start_time)/60

View solution in original post

Sivakesava574 · ‎02-26-2021

This is resulting the data exactly what i intended

ITWhisperer · ‎02-26-2021

| eval date=strftime(_time,"%Y-%m-%d")
| stats earliest(_time) as start_time latest(_time) as end_time by date
| eval difference=(end_time-start_time)/60

on list of _time values how to get start and end times by specific date in splunk

stats

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes