Splunk Search

on list of _time values how to get start and end times by specific date in splunk

Sivakesava574
Explorer

my search query returns list of _time values for multiple dates and below is start and end times for a each date

2021-02-23 12:27:13.173

2021-02-23 16:18:20.129

2021-02-24 09:18:06.191

2021-02-24 13:22:48.285

2021-02-25 09:02:38.042

2021-02-25 13:04:52.313

in the above list i need to display like below. i have tried multiple ways but unable to get the output in below format. is there any i can extract like below

DateStart_timeEnd_timedifference in minutes
2/23/20212/23/21 12:272/23/21 16:18231.11593

 

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

 

| eval date=strftime(_time,"%Y-%m-%d")
| stats earliest(_time) as start_time latest(_time) as end_time by date
| eval difference=(end_time-start_time)/60

 

View solution in original post

Sivakesava574
Explorer

This is resulting the data exactly what i intended

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

 

| eval date=strftime(_time,"%Y-%m-%d")
| stats earliest(_time) as start_time latest(_time) as end_time by date
| eval difference=(end_time-start_time)/60

 

Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...