So I have splunk events and I want to display information as a time range. For example:
event type1: Started proc1 id=123
event type2: Stoped proc1 id=123
(Assume id 123 is associated with proc1)
So I want to display the time duration for which proc1 ran most recently. I have following splunk query:
index | search "started" OR "Stopped" | where id=123 | sort - _time | head 2
This gives me the 2 events which I'am interested in. But how can I extract the _time from both events?
... View more