Solved: Re: How can I create extract the earliest and late...

jedatt01 · ‎03-09-2016

I would like to display the original earliest and latest of a search as fields in my table results. My query below.

index=myindex msg_severity=ERROR | timechart span=15m count by field_TEXT  | untable _time field_TEXT count | eval count = if(count=0,1,count) | streamstats window=2 global=f current=t first(count) As p_count by field_TEXT | eval percent_change=((count-p_count)/(p_count))*100

I would like to add something like this to the end of my search to show the earliest and latest of the search on every row

| eval start=$earliest | eval end=$latest

Is this possible?

javiergn · ‎03-09-2016

You can use the addinfo command for that:

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Addinfo

View solution in original post

javiergn · ‎03-09-2016

You can use the addinfo command for that:

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Addinfo

jedatt01 · ‎03-09-2016

Exactly what i needed!

How can I create extract the earliest and latest times for current search and create fields for them?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio