topic Re: Fill empty fields backwards with streamstats in Splunk Search

Fill empty fields backwards with streamstats

Kristian_86 — Thu, 19 Oct 2023 14:01:06 GMT

Hi,
I have the following issue:
Have many events with different document_number+datetime_type, which have a field (started_on).
There is always 4 different types / document_number.
Then 4 new timestamp fields are evaluated by the type and the timestamp, so each event will have 1 new filled timestamp in a different field.

Now I need to fill the empty ones from the evaluated ones for the same document_number.
With streamstats I was able to fill them further (after found), but not backwards.

Is it possible somehow?
Or only if I do | reverse and apply streamstats again?

Re: Fill empty fields backwards with streamstats

ITWhisperer — Thu, 19 Oct 2023 13:43:40 GMT

Why not just use stats (instead of streamstats)?

Re: Fill empty fields backwards with streamstats

Kristian_86 — Thu, 19 Oct 2023 13:58:35 GMT

like? Could you please provide an example?
If I will use stats it will merge the 4 events into 1 or not fill the empty ones / document type
The main key fields are document_number and document_type which are required further.
So with:

| stats max(timestamp1) as timestamp1, max(timestamp2) as timestamp2, ... by document_number
will unify the events by document_number which is not what I would like to achieve as there are many other fields required, which are not shown in the example.
| stats max(timestamp1) as timestamp1, max(timestamp2) as timestamp2, .. by document_number, document_type
will do nothing as will select the event from itself and leave the empty fields empty.

P.S.: sorry I forgot to add the datetime_type to the example pictures, will add them.

Re: Fill empty fields backwards with streamstats

ITWhisperer — Thu, 19 Oct 2023 14:01:00 GMT

Try eventstats instead of stats if you want to keep the original events

Re: Fill empty fields backwards with streamstats

Kristian_86 — Thu, 19 Oct 2023 19:22:29 GMT

Working as expected, thank you 🙂