topic Re: how to find get the latest values of a field which is available in different field level in Splunk Enterprise

How to find the latest values of a field which is available in different field level?

splunker2022 — Mon, 04 Apr 2022 16:40:37 GMT

Hi i am new to splunk. i am creating splunk dashboard.i have the interesting fields like field1.field2.x.stacktrace{} ,field1.field2.x.x.stacktrace{}, field1.field2.x.x.x.stacktrace{} ,fieldN.msg , field.time

i am counting based on fieldN.msg and displaying latest(field.time) ,count(fieldN.msg) for each group using stats( stats count(fieldN.msg) , latest(field.time) by fieldN.msg)

some events has values in field1.field2.x.stacktrace{} or field1.field2.x.x.stacktrace{} or field1.field2.x.x.x.stacktrace{} . for some events those fields are not even available. for some events it may be available in field1.field2.x.stacktrace{} and field1.field2.x.x.stacktrace{} fields as well

How can i get the latest stacktrace of each group as another field in stats table if the stacktrace is available in any level or if its not available in any event of the group then "NA" has to be displayed

Re: how to find get the latest values of a field which is available in different field level

ITWhisperer — Tue, 29 Mar 2022 11:47:29 GMT

Assuming only one of field1.field2.x.stacktrace{} ,field1.field2.x.x.stacktrace{}, field1.field2.x.x.x.stacktrace{} appears in each event, then

| eval stacktrace=coalesce('field1.field2.x.stacktrace{}', 'field1.field2.x.x.stacktrace{}', 'field1.field2.x.x.x.stacktrace{}') | stats ... latest(stacktrace) as stacktrace ...

Re: how to find get the latest values of a field which is available in different field level

somesoni2 — Tue, 29 Mar 2022 12:35:21 GMT

Try something like this

your current search before stats | eval stacktrace=null() | foreach *.stacktrace [| eval stacktrace=coalesce('<<FIELD>>', stacktrace) ] | eval stacktrace=coalesce(stacktrace,"NA") | stats count(fieldN.msg) , latest(field.time) latest(stacktrace) as stacktrace by fieldN.msg

Re: how to find get the latest values of a field which is available in different field level

splunker2022 — Tue, 29 Mar 2022 15:56:05 GMT

Thanks for your reply. could you kindly explain what it is doing, so i can understand what it is doing

Re: how to find get the latest values of a field which is available in different field level

somesoni2 — Tue, 29 Mar 2022 17:07:44 GMT

your current search before stats | eval stacktrace=null() ##Created stacktrace field with initial null() value.## | foreach *.stacktrace [| eval stacktrace=coalesce('<<FIELD>>', stacktrace) ] ## Loop through all *.stacktrace fields that are available at different level,e.g field.x.stacktrace, field.y.z.stacktrace etc, and take the last not-null value and store it in stacktrace field. If you want to take first not-null value, reverse the position of stacktrace. i.e. | eval stacktrace=coalesce(stacktrace, '<<FIELD>>')## | eval stacktrace=coalesce(stacktrace,"NA") ## if stacktrace value is still null after the loop, means no other *.stacktrace field has value, use "NA" as default value. | stats count(fieldN.msg) , latest(field.time) latest(stacktrace) as stacktrace by fieldN.msg

Re: how to find get the latest values of a field which is available in different field level

splunker2022 — Tue, 29 Mar 2022 17:37:10 GMT

sorry.what should i add in place of

<<FIELD>>

Re: how to find get the latest values of a field which is available in different field level

somesoni2 — Tue, 29 Mar 2022 17:41:51 GMT

That has to be used as is. The '<<FIELD>>' is placeholder literal string for foreach command. Think of it as loop variable or token.

https://docs.splunk.com/Documentation/Splunk/8.2.5/SearchReference/Foreach

Re: how to find get the latest values of a field which is available in different field level

Paa2428 — Wed, 30 Mar 2022 06:58:48 GMT

Hi. What is <<field>> in the answer. And how to get only first 2 or 3 lines from that stacktrace

Re: how to find get the latest values of a field which is available in different field level

ITWhisperer — Wed, 30 Mar 2022 07:23:50 GMT

<<FIELD>> comes from the foreach command (see the documentation as directed earlier)

Not sure what the ask is here - does the stacktrace field already hold the whole trace and you want to trim it to just a couple of lines, or something else?

Re: how to find get the latest values of a field which is available in different field level

Paa2428 — Wed, 30 Mar 2022 07:47:41 GMT

Yes. If the returned stacktrace has complete stacktrace and just need to trim 1st 2 or 3 lines..

Re: how to find get the latest values of a field which is available in different field level

ITWhisperer — Wed, 30 Mar 2022 07:59:59 GMT

| rex field=stacktrace (?<stacktrace>.+\n.+)

Re: how to find get the latest values of a field which is available in different field level

splunker2022 — Wed, 30 Mar 2022 11:03:36 GMT

Hi, in my case the stacktrace is a array containing multiple lines containing the stacktraced..

{

a: {

app: xxx

}

Log: {

level: fatal

msge: err msg

Y: {

Zz: {

}

stackTrace: [ ggggggggggggg

jijii

kjjoijo

kjkjlkjlj

]

}

stackTrace: [

line1

line2

line3

line4

]

}

stacktrace may/maynot be available in events. if available it is available in different level and i need to get the 1st 2 or 3 lines and display the latest stacktrace and the latest timestamp of event which is grouped based on app

Re: how to find get the latest values of a field which is available in different field level

ITWhisperer — Wed, 30 Mar 2022 11:04:05 GMT

If stackTrace is a multivalue field, use mvindex

| eval shortstack=mvindex(stackTrace,0,1)

Re: how to find get the latest values of a field which is available in different field level

splunker2022 — Wed, 30 Mar 2022 11:47:48 GMT

Thanks for helping me .

I am getting NA for all events.. but if i use coalesce('field1.field2.x.stacktrace{} ', 'field1.field2.x.x.stacktrace{}', 'field1.field2.x.x.x.stacktrace{}') i am getting the stacktrace .. but i thought it would be great if i loop through and find the stacktrace at different levels because stacktrace might be in some other level as well

Re: how to find get the latest values of a field which is available in different field level

manimuthu — Mon, 04 Apr 2022 09:47:31 GMT

Hi .. thanks for the reply. i dont know where i am missing. its not working for me.

for instance...

| foreach *.stackTrace [| eval <<FIELD>> = "hello"]
| stats latest(field1.field2.x.x.stackTrace) as stacktrace by fieldN.msg

hello is not getting printed

.........

but when i give

| foreach field1.field2.x.x.stackTrace [| eval <<FIELD>> = "hello"]
| stats latest(field1.field2.x.x.stackTrace) as stacktrace by fieldN.msg

hello is getting displayed