Solved: How can I modify my search to filter and display o...

pavanae · ‎11-09-2016

search :- My search | stats values(date_hour) as Access_time by user

The above search displays the user id with their accesses hour on the right. Now how can i display only the 1st value and last value of Access_time for each user.

Example if I have the result as below

user Access_time
A 16
18
19
22

Now I just want the first and last value of the Access_time as below

user Access_time
A 16 -- 22

cmerriman · ‎11-09-2016

My search | stats earliest(date_hour) as FirstHour latest(date_hour) as LastHour by user|eval accessTime=FirstHour+"--"+LastHour|fields - FirstHour - LastHour

try something like this.

View solution in original post

cmerriman · ‎11-09-2016

My search | stats earliest(date_hour) as FirstHour latest(date_hour) as LastHour by user|eval accessTime=FirstHour+"--"+LastHour|fields - FirstHour - LastHour

try something like this.

pavanae · ‎11-09-2016

Thanks for the responce. Now Can you help me calcullating the standard deviation for the last 7 days. Where standard_deviation is if accessTime is 3 times standard deviation of average?

How can I modify my search to filter and display only the first and second value?

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?

Splunk Education Goes to Washington | Splunk GovSummit 2024