How to find earliest time a string appeared in a v...

mlaurabermudez · ‎06-14-2019

I have a field named "example", I want to find the first time that the first log that contained the word "hello".
How can I do this?

In other words, I have a field named "example" that contains several logs with text values. I want to obtain the time of the first log that contained the word "hello".

amitm05 · ‎06-15-2019

@mlaurabermudez

You want to go something like -

index="SomeIndex" sourcetype="SomeSourceType" example="*hello*" | stats min(_time) as earliestTime values(example) as example latest(_raw) as RawEvent  | eval earliestTime=strftime(earliestTime,"%+")

And if you are saying that you need to do this for 2 different values in 2 different events, you would want to bring in the group by, Like

index="SomeIndex" sourcetype="SomeSourceType" example="hello1" OR example="*hello2*" | stats min(_time) as earliestTime latest(_raw) as RawEvent by example  | eval earliestTime=strftime(earliestTime,"%+")'

Please let me know if this answers your question! 😄
Thanks

kmorris_splunk · ‎06-14-2019

Does this give you what you are looking for:

index=YOURINDEX sourcetype=YOURSOURCETYPE example="*hello*" 
| stats earliest(_time) as earliest_time 
| eval earliest_time=strftime(earliest_time,"%m/%d/%Y %H:%M:%S")

How to find earliest time a string appeared in a value?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms