Splunk Search

How can I create extract the earliest and latest times for current search and create fields for them?

jedatt01
Builder

I would like to display the original earliest and latest of a search as fields in my table results. My query below.

index=myindex msg_severity=ERROR | timechart span=15m count by field_TEXT  | untable _time field_TEXT count | eval count = if(count=0,1,count) | streamstats window=2 global=f current=t first(count) As p_count by field_TEXT | eval percent_change=((count-p_count)/(p_count))*100

I would like to add something like this to the end of my search to show the earliest and latest of the search on every row

| eval start=$earliest | eval end=$latest

Is this possible?

0 Karma
1 Solution

javiergn
SplunkTrust
SplunkTrust

jedatt01
Builder

Exactly what i needed!

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...