cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
rogercruz
Engager
Member since: ‎08-01-2019
‎09-16-2020
Community Statistics
Posts 2
Solutions 0
Karma Given 2
Karma Received 0
Member Since ‎08-01-2019
Activity Feed
View All

Re: How do I find the first and last time a messag...

by in Splunk Search
‎09-13-2020 10:24 PM
‎09-13-2020 10:24 PM
@thambisetty  I must admit that I need a Splunk PhD to understand that query but it seems to work!  I'm glad my confusing request was understood.   Thank you so much! Could you explain the logic behind this query in layman's terms? I tried working with dedup and stats but nothing I came up with could deal with the fact that a repeating sequence could be interrupted and I needed to then reset the start + end.  My Google search magic also failed me in finding any other person asking the same.   Am I the first one to ever find to find out the first + last events of repeating sequences? ... View more

How do I find the first and last time a message is...

by in Splunk Search
‎09-13-2020 12:05 AM
‎09-13-2020 12:05 AM
I would like to create a table that displays the first and last event from a duplicate set of events.  A duplicate run may be interrupted by a non-duplicate event in which case I also want to the display the first and last message when the duplicate events appear again. For example, consider this list of events   | makeresults count=10 | streamstats count | eval _time=1599978591-(count*60) | eval Message = case(count=10, "MessageA", count=9, "MessageA", count=8, "MessageA", count=7, "MessageB", count=6, "MessageB", count=5, "MessageB", count=4, "MessageA", count=3, "MessageA", count=2, "MessageA", count=1, "MessageB") | reverse | table _time, Message   which will create a table similar to: _time Message 2020-09-13 06:19:51 MessageA 2020-09-13 06:20:51 MessageA 2020-09-13 06:21:51 MessageA 2020-09-13 06:22:51 MessageB 2020-09-13 06:23:51 MessageB 2020-09-13 06:24:51 MessageB 2020-09-13 06:25:51 MessageA 2020-09-13 06:26:51 MessageA 2020-09-13 06:27:51 MessageA 2020-09-13 06:28:51 MessageB   Now, I would like to display the first and last time a message is seen, removing any duplicates.. but it needs to consider that the same message may be seen again in another sequence and should be considered a different run to be displayed. I thought of adding this   | stats earliest(_time) as Earliest, latest(_time) as Latest BY Message | eval FirstEvent=strftime(Earliest,"%+"), LastEvent=strftime(Latest,"%+") | table FirstEvent, LastEvent, Message   but it doesn't take into account that there may be multiple sequences of repeated events so it generates FirstEvent LastEvent Message Sun Sep 13 06:19:51 UTC 2020 Sun Sep 13 06:19:51 UTC 2020 MessageA Sun Sep 13 06:22:51 UTC 2020 Sun Sep 13 06:22:51 UTC 2020 MessageB But what I desire is the following output FirstEvent LastEvent Message Sun Sep 13 06:19:51 UTC 2020 Sun Sep 13 06:21:51 UTC 2020 MessageA Sun Sep 13 06:22:51 UTC 2020 Sun Sep 13 06:24:51 UTC 2020 MessageB Sun Sep 13 06:25:51 UTC 2020 Sun Sep 13 06:27:51 UTC 2020 MessageA Sun Sep 13 06:28:51 UTC 2020 Sun Sep 13 06:28:51 UTC 2020 MessageB Any help is extremely appreciated.  Thanks in advance. Roger Cruz ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎09-16-2020 12:42 AM
Karma given to
View All