I would like to display the original earliest and latest of a search as fields in my table results. My query below.
index=myindex msg_severity=ERROR | timechart span=15m count by field_TEXT | untable _time field_TEXT count | eval count = if(count=0,1,count) | streamstats window=2 global=f current=t first(count) As p_count by field_TEXT | eval percent_change=((count-p_count)/(p_count))*100
I would like to add something like this to the end of my search to show the earliest and latest of the search on every row
| eval start=$earliest | eval end=$latest
Is this possible?
↧