Solved: Splunk Data sorting

ringbbg · ‎07-18-2017

HI Everyone.

I am trying to put in table format some alarm data in our enterprise network with the query below.

      <query>sourcetype=ntwkalrt "12924" "Connection refused" "TCPSocket" | table _time, machine, Feed, IP, PORT, log | sort 0 -_time</query>
      <earliest>$_time.earliest$</earliest>
      <latest>$_time.latest$</latest>

I am able to get all the data, but I would like to display the alarms the first time they occured and the most recent one. With the syntax above, It displays everything and there are a lot of duplicates. Is there a way to do that?

Thanks.

woodcock · ‎07-18-2017

Like this:

index=YouShouldAlwaysSpecifyAnIndex sourcetype=ntwkalrt "12924" "Connection refused" "TCPSocket"
| stats min(_time) AS first_time max(_time) AS last_time BY machine Feed IP Port log

View solution in original post

woodcock · ‎07-18-2017

Like this:

index=YouShouldAlwaysSpecifyAnIndex sourcetype=ntwkalrt "12924" "Connection refused" "TCPSocket"
| stats min(_time) AS first_time max(_time) AS last_time BY machine Feed IP Port log

Splunk Data sorting

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!