Solved: on list of _time values how to get start and end t...

Sivakesava574 · ‎02-26-2021

my search query returns list of _time values for multiple dates and below is start and end times for a each date

2021-02-23 12:27:13.173

2021-02-23 16:18:20.129

2021-02-24 09:18:06.191

2021-02-24 13:22:48.285

2021-02-25 09:02:38.042

2021-02-25 13:04:52.313

in the above list i need to display like below. i have tried multiple ways but unable to get the output in below format. is there any i can extract like below

Date	Start_time	End_time	difference in minutes
2/23/2021	2/23/21 12:27	2/23/21 16:18	231.11593

ITWhisperer · ‎02-26-2021

| eval date=strftime(_time,"%Y-%m-%d")
| stats earliest(_time) as start_time latest(_time) as end_time by date
| eval difference=(end_time-start_time)/60

View solution in original post

Sivakesava574 · ‎02-26-2021

This is resulting the data exactly what i intended

ITWhisperer · ‎02-26-2021

| eval date=strftime(_time,"%Y-%m-%d")
| stats earliest(_time) as start_time latest(_time) as end_time by date
| eval difference=(end_time-start_time)/60

on list of _time values how to get start and end times by specific date in splunk

stats

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?

on list of _time values how to get start and end times by specific date in splunk

stats

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR