https://community.splunk.com/t5/Splunk-Search/filldown-by-clause/m-p/33792#M178313 <P>Streamstats can do that:</P> <PRE><CODE>... | reverse | streamstats last(account-level) as account-level by account-name | reverse | ... </CODE></PRE> <P>This would assign 2 to the first special event and 3 to the second and third special event. Without the reversing it would assign 3 to the first special event and 4 to the second and third special event.</P> <P>Maybe there's a more efficient way than my crude double-reverse, but off the top of my head that's the easiest way of making streamstats work in reverse.</P> Wed, 14 Nov 2012 12:46:12 GMT martin_mueller 2012-11-14T12:46:12Z https://community.splunk.com/t5/Splunk-Search/filldown-by-clause/m-p/33791#M178312 <P>i have events for player accounts, which have player-levels, and have additional events for these accounts, which dont have the field player_level, looks e.g like this<BR /></P> <P>GENERAL-EVENT [ account-name=xxx account-level=1] <BR /><BR /> GENERAL-EVENT [ account-name=xxx account-level=2] <BR /><BR /> SPECIAL-EVENT [ account-name=xxx other-field=xxx] <BR /><BR /> GENERAL-EVENT [ account-name=xxx account-level=3] <BR /><BR /> SPECIAL-EVENT [ account-name=xxx other-field=xxx] <BR /><BR /> SPECIAL-EVENT [ account-name=xxx other-field=xxx] <BR /><BR /> GENERAL-EVENT [ account-name=xxx account-level=4] <BR /></P> <P>and i want to give the SPECIAL-EVENTS the field account-level at which this special-thing has "happened".<BR /> <BR /> so i found <BR /> | filldown account-level<BR /> <BR /><BR /> which works well as long i do a search only over one account-name, but when i want to do searches over all accounts there is nothing like<BR /><BR /> | filldown account-level by account-name<BR /> <BR /> is there any work-around?????<BR /><BR /> i'm using 4.3.3<BR /><BR /><BR /> edit: i tried variants with streamstats, but somehow when i use it for a bigger timeframe with many data, it dowsnt work the right way, cuz at some account-levels the level-sum contains 0 special-events, but where i know, that there are some, when i use the search for a specific account.</P> Wed, 14 Nov 2012 11:47:49 GMT https://community.splunk.com/t5/Splunk-Search/filldown-by-clause/m-p/33791#M178312 p_splunk 2012-11-14T11:47:49Z https://community.splunk.com/t5/Splunk-Search/filldown-by-clause/m-p/33792#M178313 <P>Streamstats can do that:</P> <PRE><CODE>... | reverse | streamstats last(account-level) as account-level by account-name | reverse | ... </CODE></PRE> <P>This would assign 2 to the first special event and 3 to the second and third special event. Without the reversing it would assign 3 to the first special event and 4 to the second and third special event.</P> <P>Maybe there's a more efficient way than my crude double-reverse, but off the top of my head that's the easiest way of making streamstats work in reverse.</P> Wed, 14 Nov 2012 12:46:12 GMT https://community.splunk.com/t5/Splunk-Search/filldown-by-clause/m-p/33792#M178313 martin_mueller 2012-11-14T12:46:12Z https://community.splunk.com/t5/Splunk-Search/filldown-by-clause/m-p/33793#M178314 <P>yes i know this usage (im actually often using | sort 0 +_time ... wonder which one is the "faster") <BR /><BR /> but the problem is somehow that with big data something stops working, i could imagine of something like maxout or smth, but i cant find any error message in the inspection (any of u have another hint what can be the reason?).</P> Wed, 14 Nov 2012 15:17:39 GMT https://community.splunk.com/t5/Splunk-Search/filldown-by-clause/m-p/33793#M178314 p_splunk 2012-11-14T15:17:39Z https://community.splunk.com/t5/Splunk-Search/filldown-by-clause/m-p/33794#M178315 <P>again: any of u have another hint what can be the reason?</P> Thu, 15 Nov 2012 10:34:39 GMT https://community.splunk.com/t5/Splunk-Search/filldown-by-clause/m-p/33794#M178315 p_splunk 2012-11-15T10:34:39Z