Splunk Search

Get the timestamp of first occured error

VikhyathMaiya
Explorer

Hello community. I use splunk for one of my projects and i had a doubt.

I have a query which roughly looks like below

 

 

index=app* rum.plugin="myPluginId" rum.status="Error" rum.apiCall="apiCallName" | chart count by rum.companyId

 

 


which gives the result like

rum.companyId       ||        count
========================
456789456              ||         6
827634966              ||         2
456789057              ||         4
098765456              ||         6
123456789              ||         677


And i run this query for last 24 hours.

Now i want to check, if out of these companyIds listed, whether there was a similar Error occurred for these list of companies (rum.companyId) in past. If it has occurred, show the timestamp of first occurrence. So my expected output is something like

rum.companyId       ||        count     ||. First occurrence Timestamp
================================================
456789456              ||         6              ||. 20/04/90 04:04:04
827634966              ||         2              ||  20/04/90 04:04:04
456789057              ||         4              ||  20/04/90 04:04:04
098765456              ||         6              ||  20/04/90 04:04:04
123456789              ||         677         ||  20/04/90 04:04:04

Is there any way to achieve this? Thanks in advance.

Labels (5)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

| stats count earliest(_time) by rum.companyId
0 Karma
Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...