Hello everyone.
Want to display the output only for the time which crosses 18 months (earliest time)
Give this version a try
| rest /services/data/indexes
| table title frozenTimePeriodInSecs minTime maxTime totalEventCount
| eval minTime=strptime(minTime,"%FT%T%Z") | eval maxTime=strptime(maxTime,"%FT%T%Z")
| stats sum(totalEventCount) as totalEventCount min(minTime) as minTime max(maxTime) as maxTime values(frozenTimePeriodInSecs) as frozenTimePeriodInSecs by title
| rename title as index
| streamstats count as Row
| eval Days=frozenTimePeriodInSecs/86400
| eval Year=Days/365
| fields Row index frozenTimePeriodInSecs minTime maxTime totalEventCount
| convert ctime(minTime) ctime(maxTime) timeformat="%FT%T%Z"
If you still don't see the time, that is because those indexes do not have any data in them, so there is no minTime/maxTime to display.
Just use a | tstats earliest(_time) as earliestTime by index | convert ctime(earliestTime)
- this will have a look in all indexes and give you the timestamp of the earliest event.
Note - if an indes has no data, nothing will show!