saurabh choudhary
Reputation: 93
How do I find first occurence of a particular event for the list of users in splunk
I have to find the first occurrence of a particular event for the list of users in splunk.
eg: I have a list of users say 10 from another query.
I am using the below query to find date of the first mail sent by customer 12345. How do I find the same for a list of customer that I get from another query?
index=abc appname=xyz "12345" "*\"SENT\"}}"|reverse|table _time|head 1
Upvotes: 0
Views: 1608
Answers (1)
RichG
Reputation: 9926
Try using stats.
index=abc appname=xyz "12345" "*\"SENT\"}}" | stats first(_time)
Upvotes: 0
Related Questions
- Splunk Query to find greater than
- Splunk query to get user, saved search name, last time the query ran
- Splunk : extract multiple values from each event
- Splunk: Group by certain entry in log file
- Splunk: How to get N-most-recent values for each group?
- Group events by multiple fields in Splunk
- Splunk query filter out based on other event in same index
- Filtering duplicate entries from Splunk events
- How to count the total number of events in a splunk search result?
- Splunk - counting numeric information in events