Currently, i have the below result of the search. It is returning the servername,errorcode and the timestamp.
What my objective is to have the 1sttimestamp and lasttimestamp of the server 1 error with the given errocode 50 to be on the same row of the result.
If the error only appears once, then the 1sttimestamp and the lasttimestamp will be the same.
Before:
servername ErrorCode Time
Server1 50 2019-08-03 01:24:05
Server2 50 2019-08-03 01:23:05
server1 50 2019-08-03 01:22:05
After:
servername ErrorCode Lastest Time First_Error_Time
Server1 50 2019-08-03 01:24:05 2019-08-03 01:22:05
Server2 50 2019-08-03 01:23:05 2019-08-03 01:23:05
@newbie09,
Try
"your search" |stats latest(_time) as LatestTime,earliest(_time) as Earliest by servername, ErrorCode
You may change the time format using ctime
or strftime
@newbie09,
Try
"your search" |stats latest(_time) as LatestTime,earliest(_time) as Earliest by servername, ErrorCode
You may change the time format using ctime
or strftime
Thank you @renjith.nair
working!!!!
thanks renjith!!! i'll try and let you know.