topic Re: how to use eval and stats first() (for dummies) in Splunk Search

how to use eval and stats first() (for dummies)

wsw70 — Mon, 25 Jun 2012 08:19:51 GMT

Hello,

Summary: how to get most recent vents for a given ID (for dummies)

I have data in the following format:

# OStime OSip OSreg OSstatus
1340406378 10.34.245.50 AG "NO TM"
1340406378 10.34.245.64 AG "NO TM"
1340406378 10.34.245.65 AG "NO TM"

OStime (which is correctly recognized as a timestamp) is unique to a set of data - there are many OStime entries in the index but I am only interested in the most recent one.

... | stats first(OStime)

correctly shows me the first instance of OStime

I then tried to do use it in an eval to get only data corresponding to this timestamp

... | eval mostrecent = stats first(OStime) | search OStime=mostrecent

This fails with a "Error in 'eval' command: The operator at 'first(OStime)' is invalid."

Thans in davnce for pointing me what is wrong, I looked at the examples in the documentation for eval, they look like mine except that they work 🙂

Re: how to use eval and stats first() (for dummies)

Ayn — Mon, 25 Jun 2012 08:41:57 GMT

eval works on a per-event basis, so stats commands for operating on multiple events doesn't apply.

Splunk should already have indexed your data so that it uses OStime as its internal timestamp as well. In that case, getting the most recent event could be achieved like this:

... | head 1

Re: how to use eval and stats first() (for dummies)

kristian_kolb — Mon, 25 Jun 2012 08:56:42 GMT

Hi,

I believe that there is a bit of confusion of concepts. stats operates on the whole set of events returned from the base search, and in your case you want to extract a single value from that set. eval creates a new field for all events returned in the search. Creating a new field called 'mostrecent' for all events is probably not what you intended.

Also if you look more closely at the documentation for eval, you will see that stats is not a valid function to eval.

Solution:
The default behaviour of Splunk is to return the most recent events first, so if you just want the find all events that have the same OStime as the most recent event you can use the head command in a subsearch;

sourcetype=your_sourcetype [search sourcetype=your_sourcetype | head 1 | fields + OStime]

The subsearch (within the square brackets) returns the field OStime (along with its value) for the most recent event (head 1) and adds it to the outer search, so that the main search reads something like;

sourcetype=your_sourcetype OStime=123345456

Hope this helps,

Kristian

Re: how to use eval and stats first() (for dummies)

kristian_kolb — Mon, 25 Jun 2012 08:57:04 GMT

Hmm, it seems that I spend too long time editing my answers 🙂

Re: how to use eval and stats first() (for dummies)

wsw70 — Mon, 25 Jun 2012 09:21:08 GMT

Thanks for the very detailed answer. Everything is now clear.

Re: how to use eval and stats first() (for dummies)

wsw70 — Mon, 25 Jun 2012 09:22:43 GMT

Thanks! Together with Kristian's answer it is now clear