https://community.splunk.com/t5/Splunk-Search/How-to-get-most-recent-field-value-in-streamstats/m-p/189600#M54619 <P>I have the following query <BR /> index=qa sourcetype=xxx (JobName =xxxx) ClassName=xxxx | dedup buildNum, jobName, TestName | streamstats global=f current=f window=1 first(buildNum) as priorBuildNum, first(Status) as priorStatus by jobName, TestName | stats latest(Status) as currentStatus by buildNum,TestName |table buildNum, TestName , currentStatus</P> <P>I have 1st three columns with the above query . I want to compute the LastPassedBuildNum column ( I have added expected results)<BR /> Logic would be : if currentStatus is Success --&gt; get the buildNum and display that, if currentStatus is Error --&gt; get the most recent buildNum when test was Success</P> <P>buildNum TestName currentStatus Last PassedbuildNum<BR /> 4532 TestName1 Success 4532<BR /> 4532 TestName2 Error 4531 (assume)<BR /> 4533 TestName1 Success 4533<BR /> 4533 TestName2 Error 4531(assume)<BR /> 4534 TestName1 Error 4533 (should be most recent passed buildNum)<BR /> 4534 TestName2 Success 4534</P> <P>Could someone help me compute the last column in above table?</P> <P>I used foreach too but for some reason, i have not been able to get the desired result<BR /> Thanks!</P> Thu, 02 Jul 2015 18:04:09 GMT pkhimani 2015-07-02T18:04:09Z https://community.splunk.com/t5/Splunk-Search/How-to-get-most-recent-field-value-in-streamstats/m-p/189600#M54619 <P>I have the following query <BR /> index=qa sourcetype=xxx (JobName =xxxx) ClassName=xxxx | dedup buildNum, jobName, TestName | streamstats global=f current=f window=1 first(buildNum) as priorBuildNum, first(Status) as priorStatus by jobName, TestName | stats latest(Status) as currentStatus by buildNum,TestName |table buildNum, TestName , currentStatus</P> <P>I have 1st three columns with the above query . I want to compute the LastPassedBuildNum column ( I have added expected results)<BR /> Logic would be : if currentStatus is Success --&gt; get the buildNum and display that, if currentStatus is Error --&gt; get the most recent buildNum when test was Success</P> <P>buildNum TestName currentStatus Last PassedbuildNum<BR /> 4532 TestName1 Success 4532<BR /> 4532 TestName2 Error 4531 (assume)<BR /> 4533 TestName1 Success 4533<BR /> 4533 TestName2 Error 4531(assume)<BR /> 4534 TestName1 Error 4533 (should be most recent passed buildNum)<BR /> 4534 TestName2 Success 4534</P> <P>Could someone help me compute the last column in above table?</P> <P>I used foreach too but for some reason, i have not been able to get the desired result<BR /> Thanks!</P> Thu, 02 Jul 2015 18:04:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-most-recent-field-value-in-streamstats/m-p/189600#M54619 pkhimani 2015-07-02T18:04:09Z https://community.splunk.com/t5/Splunk-Search/How-to-get-most-recent-field-value-in-streamstats/m-p/189601#M54620 <P>Copy this run-anywhere example into a new search window:</P> <PRE><CODE>| stats count as build | eval status = "Success Error Success Success Error Error Success" | makemv status | mvexpand status | streamstats count as build | streamstats last(eval(case(status="Success", build))) as lastSuccessfulBuild </CODE></PRE> <P>Results:</P> <PRE><CODE>build lastSuccessfulBuild status 1 1 Success 2 1 Error 3 3 Success 4 4 Success 5 4 Error 6 4 Error 7 7 Success </CODE></PRE> <P>This should be translatable to your problem.</P> Thu, 02 Jul 2015 23:06:47 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-most-recent-field-value-in-streamstats/m-p/189601#M54620 martin_mueller 2015-07-02T23:06:47Z