topic Re: Stats Command and timestamp in Splunk Search

Stats Command and timestamp

chuck_life09 — Thu, 01 Jul 2021 18:00:37 GMT

Hi ,

I am using a stats command with a "by" time field, but i am not getting the result.

If i remove the time field i am getting the desired result.

I want all the fields in my outcome, how to obtain.

stats latest(et) as "ET" by status, id, starttime - If i remove this "starttime" i am getting the outcome but i need that also in my outcome. Can i put a separate table? but there also this column is not showing.

I want all these fields ET,Status,id,Startime

What to do?

Re: Stats Command and timestamp

richgalloway — Thu, 01 Jul 2021 19:31:25 GMT

Make sure the starttime field exists and has values in it. The stats command will not produce results if one of the "by" fields is null.

It would help if you shared some sample data and a mock-up of the desired results.

Re: Stats Command and timestamp

chuck_life09 — Thu, 01 Jul 2021 23:04:04 GMT

Hi @richgalloway

Sample data

Et status I'd starttime

2021/07/01 04:00:00 failed abcf

2021/07/01 03:24:00

Re: Stats Command and timestamp

richgalloway — Fri, 02 Jul 2021 12:44:33 GMT

Is that data sample complete? If so, then the null fields explains why the stat command fails.