Splunk Search

Is there a way to have the 1st timestamp and last timestamp to be in the same row? Please check below example

newbie09
Explorer

Currently, i have the below result of the search. It is returning the servername,errorcode and the timestamp.
What my objective is to have the 1sttimestamp and lasttimestamp of the server 1 error with the given errocode 50 to be on the same row of the result.
If the error only appears once, then the 1sttimestamp and the lasttimestamp will be the same.

Before:
servername ErrorCode Time
Server1 50 2019-08-03 01:24:05
Server2 50 2019-08-03 01:23:05
server1 50 2019-08-03 01:22:05

After:
servername ErrorCode Lastest Time First_Error_Time
Server1 50 2019-08-03 01:24:05 2019-08-03 01:22:05
Server2 50 2019-08-03 01:23:05 2019-08-03 01:23:05

0 Karma
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

@newbie09,

Try

"your search" |stats latest(_time) as LatestTime,earliest(_time) as Earliest by servername, ErrorCode

You may change the time format using ctime or strftime

Happy Splunking!

View solution in original post

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@newbie09,

Try

"your search" |stats latest(_time) as LatestTime,earliest(_time) as Earliest by servername, ErrorCode

You may change the time format using ctime or strftime

Happy Splunking!
0 Karma

newbie09
Explorer

Thank you @renjith.nair

working!!!!

0 Karma

newbie09
Explorer

thanks renjith!!! i'll try and let you know.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...