How to select one of two event fields in stats?

user33 — Fri, 08 Jul 2022 20:32:49 GMT

Hi,

I have two event fields with the same name "timestamp". I just want to display (in stats) the "timestamp" field from the "ResponseReceive" logEventType. Not the one from logType "SystemLog". Currently is displays both. Is there a way to do this? Any assistance is appreciated. Thank you!!

...
| fields timestamp, apiName, apiVersion, ceoCompanyId, entityId, sessionId, transactionDetailsResponse.transactionDetailsList.totalCount, transactionDetailsResponse.transactionDetailsList.transactionDetails{}.acctNumber, transactionDetailsResponse.transactionDetailsList.transactionDetails{}.Amount, transactionDetailsResponse.transactionDetailsList.transactionDetails{}.tranDateTime, transactionDetailsResponse.transactionDetailsList.transactionDetails{}.totalTranCount
| rename transactionDetailsResponse.transactionDetailsList.totalCount AS "TransactionCount", transactionDetailsResponse.transactionDetailsList.transactionDetails{}.acctNumber AS "AcctNum", transactionDetailsResponse.transactionDetailsList.transactionDetails{}.Amount AS "Amount", transactionDetailsResponse.transactionDetailsList.transactionDetails{}.tranDateTime AS "TranDateTime", transactionDetailsResponse.transactionDetailsList.transactionDetails{}.totalTranCount AS "TotalTranCount"
| stats
values(timestamp) AS timestamp,
values(TranDateTime) AS TranDateTime,
values(apiName) AS apiName,
values(apiVersion) AS apiVersion,
values(ceoCompanyId) AS ceoCompanyId,
values(entityId) AS entityId,
values(TotalTranCount) AS TotalTranCount,
values(AcctNum) AS AcctNum,
by sessionId,

Re: Select One of Two Event Fields in Stats

danielcj — Fri, 08 Jul 2022 17:21:50 GMT

Hello @user33 ,

Will the "ResponseReceive" always be received after the "SystemLog", I mean, will the timestamp of the ResponseReceive always be latest than the SystemLog timestamp?

If yes, you could use the "latest" command from stats.

For example:

| stats latest(timestamp) AS timestamp by sessionId

Re: Select One of Two Event Fields in Stats

user33 — Fri, 08 Jul 2022 18:05:13 GMT

Yes, it is. That worked perfectly. Thank you!

topic Re: Select One of Two Event Fields in Stats in Splunk Search

How to select one of two event fields in stats?

Re: Select One of Two Event Fields in Stats

Re: Select One of Two Event Fields in Stats