Solved: earliest or latest time in outputcsv filename

ryastrebov · ‎04-26-2013

Hello!

I have multiple saved search. Each search covers the period of 12 hours. Accordingly, each search has a earliest time and latest time. The results of each search are uploaded to csv.
I would like to name each file contained earliest time of search. It is possible?

Function

| outputcsv [ | stats count | eval filename=strftime(now(), "filename_%d_%m_%y_%H_%M_%S") | return $filename]

return filename, contains current time when search is started.
But I do not know how to enter in the name of the file earliest time.

Tell me, is it possible to do this and if so, how?

kurdbahr · ‎06-26-2013

How about this?



| outputcsv [ | stats count | addinfo | eval filename=strftime(info_min_time, "filename_%d_%m_%y_%H_%M_%S") | return $filename]

View solution in original post

kurdbahr · ‎06-26-2013

How about this?



| outputcsv [ | stats count | addinfo | eval filename=strftime(info_min_time, "filename_%d_%m_%y_%H_%M_%S") | return $filename]

earliest or latest time in outputcsv filename

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!