Solved: How can I modify my search to filter and display o...

pavanae · ‎11-09-2016

search :- My search | stats values(date_hour) as Access_time by user

The above search displays the user id with their accesses hour on the right. Now how can i display only the 1st value and last value of Access_time for each user.

Example if I have the result as below

user Access_time
A 16
18
19
22

Now I just want the first and last value of the Access_time as below

user Access_time
A 16 -- 22

cmerriman · ‎11-09-2016

My search | stats earliest(date_hour) as FirstHour latest(date_hour) as LastHour by user|eval accessTime=FirstHour+"--"+LastHour|fields - FirstHour - LastHour

try something like this.

View solution in original post

cmerriman · ‎11-09-2016

My search | stats earliest(date_hour) as FirstHour latest(date_hour) as LastHour by user|eval accessTime=FirstHour+"--"+LastHour|fields - FirstHour - LastHour

try something like this.

pavanae · ‎11-09-2016

Thanks for the responce. Now Can you help me calcullating the standard deviation for the last 7 days. Where standard_deviation is if accessTime is 3 times standard deviation of average?

How can I modify my search to filter and display only the first and second value?

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk