https://community.splunk.com/t5/Splunk-Dev/Multyple-sources-display-only-one-value/m-p/355897#M5705 <P>That seems like great questionmancy. Upvote for divining the purpose of the question and aiming to solve the underlying issues rather than answer only what was asked.</P> Wed, 15 Mar 2017 18:41:08 GMT DalJeanis 2017-03-15T18:41:08Z https://community.splunk.com/t5/Splunk-Dev/Multyple-sources-display-only-one-value/m-p/355894#M5702 <P>Hi,</P> <P>How can I display in a single value chart only the value that is 2 when that occurs, or a single value 1 when other values are not present in a given time frame</P> <P>Events :</P> <P>source = A value = 1<BR /> source = B value = 1<BR /> source = C value = 1<BR /> source = D value = 1<BR /> .. <BR /> source = A value = 1<BR /> source = B value = 2<BR /> source = C value = 1<BR /> source = D value = 1</P> <P>My search :</P> <P>sourcetype=test | dedup value | stats last(value)</P> <P>Result : </P> <P>Will only show me the value = 1 and if value = 2 occurs, I do not see it. </P> <P>Please assist. </P> Wed, 15 Mar 2017 09:48:42 GMT https://community.splunk.com/t5/Splunk-Dev/Multyple-sources-display-only-one-value/m-p/355894#M5702 andrei1bc 2017-03-15T09:48:42Z https://community.splunk.com/t5/Splunk-Dev/Multyple-sources-display-only-one-value/m-p/355895#M5703 <P>You just need to change from last to max()</P> <PRE><CODE>&lt;Your Base Search&gt; | stats max(value) as MaxValue by source </CODE></PRE> Wed, 15 Mar 2017 10:33:37 GMT https://community.splunk.com/t5/Splunk-Dev/Multyple-sources-display-only-one-value/m-p/355895#M5703 niketn 2017-03-15T10:33:37Z https://community.splunk.com/t5/Splunk-Dev/Multyple-sources-display-only-one-value/m-p/355896#M5704 <P>'stats last(value)' shows the oldest value<BR /> 'stats latest(value)' shows the newest value in the index</P> <P>Both require accurate timestamping and do not take into account data that could be in flight / indexing lag. Meaning the results could vary based on when you run the search and how long it takes data to "get/be" there.</P> <P>I get the feeling you've greatly simplified what the possible values are and you're really looking for deviations from the common values though.</P> <P>If that's the case you might be looking for something a bit more complicated like this</P> <PRE><CODE>rootSearchHere NOT [ rootSearchHere | top 1 value by source | return $source $value] | stats values(value) by source </CODE></PRE> <P>This would remove the top 1 most common values per source from the search and return the other values by source.</P> Wed, 15 Mar 2017 10:57:33 GMT https://community.splunk.com/t5/Splunk-Dev/Multyple-sources-display-only-one-value/m-p/355896#M5704 jkat54 2017-03-15T10:57:33Z https://community.splunk.com/t5/Splunk-Dev/Multyple-sources-display-only-one-value/m-p/355897#M5705 <P>That seems like great questionmancy. Upvote for divining the purpose of the question and aiming to solve the underlying issues rather than answer only what was asked.</P> Wed, 15 Mar 2017 18:41:08 GMT https://community.splunk.com/t5/Splunk-Dev/Multyple-sources-display-only-one-value/m-p/355897#M5705 DalJeanis 2017-03-15T18:41:08Z https://community.splunk.com/t5/Splunk-Dev/Multyple-sources-display-only-one-value/m-p/355898#M5706 <P>Like this:</P> <PRE><CODE> sourcetype=test | dedup value source </CODE></PRE> <P>Or:</P> <PRE><CODE>sourcetype=test | stats earliest(value) latest(value) min(value) max(value) avg(value) BY source </CODE></PRE> <P>Depending on what priority you have regarding each source's <CODE>value</CODE>.</P> Wed, 15 Mar 2017 19:38:24 GMT https://community.splunk.com/t5/Splunk-Dev/Multyple-sources-display-only-one-value/m-p/355898#M5706 woodcock 2017-03-15T19:38:24Z https://community.splunk.com/t5/Splunk-Dev/Multyple-sources-display-only-one-value/m-p/355899#M5707 <P>Cheers Mate!</P> Wed, 15 Mar 2017 22:08:15 GMT https://community.splunk.com/t5/Splunk-Dev/Multyple-sources-display-only-one-value/m-p/355899#M5707 jkat54 2017-03-15T22:08:15Z