https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-nest-the-last-event-inside-the-eval-statement/m-p/387297#M112990 <P>@ErikaE ,</P> <P>The <CODE>last</CODE> option should work for you or at least this is what I see. </P> <P><STRONG>Events</STRONG><BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/5481i60171E72332377AA/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>If you see here, the last sourcetype is kvstore and the component is KVStoreCollectionStats</P> <P>Now here is my SPL </P> <PRE><CODE>index=_*|table _time,index,sourcetype,component|sort _time|dedup index,sourcetype,component|stats last(eval(case(sourcetype="http_event_collector_metrics",component))) as component </CODE></PRE> <P>Which yields me the result " HttpEventCollector " which is not in my last event</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/5482i273B572927D1A5FC/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Wed, 08 Aug 2018 06:20:59 GMT renjith_nair 2018-08-08T06:20:59Z https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-nest-the-last-event-inside-the-eval-statement/m-p/387296#M112989 <P>I'm attempting to use stats to process some data before further calculations are performed. I have too many events for transaction and would like to "keep" certain data from certain values of foo.</P> <PRE><CODE>| stats values(eval(if('foo'="bar", A, null())) </CODE></PRE> <P>The above expression runs, but returns multiple values if there is more than one foo event with different values of A. Sometimes the values are the same for a certain value of foo, but not always. Each field that gets passed through needs mv handling on the other side to get it back down to just one value. That's not ideal as there are 20+ fields that are needed after this stats command. Based on the context of foo I often know whether I want to keep the first or the last value.</P> <P>The expression </P> <PRE><CODE>| stats values(eval(case('foo'="bar", A))) </CODE></PRE> <P>Returns only one value, from the first event where the condition in the case statement is met. However, this doesn't work when what I want is the last occurrence of 'foo'="bar" and not the first. </P> <P>I've checked the <A href="http://docs.splunk.com/Documentation/Splunk/7.1.2/Search/Usestatswithevalexpressionsandfunctions">eval+stats</A> documentation and splunk answers, but I'm having trouble finding an example of dynamic fields that uses first() last() earliest() or latest() instead of a sum or count function. </P> <P>Ideally I'd do something like:</P> <PRE><CODE> |stats last(eval(if('foo'="bar", A, null())) </CODE></PRE> <P>Which would return the value of A for the last event matching the condition foo="bar". However, if foo="bar" is not the last event then no data is returned. </P> <P>Is there a way to nest the last inside the eval statement? Should I be looking at match() instead? </P> Tue, 07 Aug 2018 21:51:44 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-nest-the-last-event-inside-the-eval-statement/m-p/387296#M112989 ErikaE 2018-08-07T21:51:44Z https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-nest-the-last-event-inside-the-eval-statement/m-p/387297#M112990 <P>@ErikaE ,</P> <P>The <CODE>last</CODE> option should work for you or at least this is what I see. </P> <P><STRONG>Events</STRONG><BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/5481i60171E72332377AA/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>If you see here, the last sourcetype is kvstore and the component is KVStoreCollectionStats</P> <P>Now here is my SPL </P> <PRE><CODE>index=_*|table _time,index,sourcetype,component|sort _time|dedup index,sourcetype,component|stats last(eval(case(sourcetype="http_event_collector_metrics",component))) as component </CODE></PRE> <P>Which yields me the result " HttpEventCollector " which is not in my last event</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/5482i273B572927D1A5FC/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Wed, 08 Aug 2018 06:20:59 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-nest-the-last-event-inside-the-eval-statement/m-p/387297#M112990 renjith_nair 2018-08-08T06:20:59Z https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-nest-the-last-event-inside-the-eval-statement/m-p/387298#M112991 <P>I must have had a typo in my syntax somewhere, I'm now seeing the behavior you'd expect.</P> <P>Thanks for taking the time to look and work up the example for me! </P> Wed, 08 Aug 2018 13:52:42 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-nest-the-last-event-inside-the-eval-statement/m-p/387298#M112991 ErikaE 2018-08-08T13:52:42Z