How do I find first occurence of a particular event for the list of users in splunk

Question

i have to first occurence of a particular event for the list of users in splunk.

eg: i have list of user say 10 from another query.

i am using below query to find date of first mail sent by customer 12345. How do i find the same for a list of customer that i get from another query?

index=abc appname=xyz "12345" "*\"SENT\"}}"|reverse|table _time|head 1

score 0 · Answer 1 · answered May 16 '18 at 13:46

0

Try using stats.

index=abc appname=xyz "12345" "*\"SENT\"}}" | stats first(_time)

answered May 16 '18 at 13:46

RichG

9,063
2
18
29

i don want to pass "12345" in search query, instead pass custId from another search query – saurabh choudhary May 17 '18 at 11:06
Then replace "12345" with a subsearch that returns a custId. `index=abc appname=xyz [index=foo | return custId] "*\"SENT\"}}" | stats first(_time)` – RichG May 17 '18 at 13:33

How do I find first occurence of a particular event for the list of users in splunk

1 Answers1