https://community.splunk.com/t5/Splunk-Search/Why-does-quot-eventstats-last-quot-fail-for-one-column-when-I/m-p/217401#M63874 <P>Did you sort this out?</P> Mon, 16 Jan 2017 16:51:55 GMT snoobzilla 2017-01-16T16:51:55Z https://community.splunk.com/t5/Splunk-Search/Why-does-quot-eventstats-last-quot-fail-for-one-column-when-I/m-p/217398#M63871 <P>In my search, I'm using a transaction. After that, I create a table from the results, then I want to apply an <CODE>eventstats last()</CODE> function.<BR /> In my table, I have two columns, let's say colA, and colB.<BR /> If I'm running the transaction without any further arguments, the <CODE>last()</CODE> function works for both columns, like this:</P> <PRE><CODE>| transaction keyfield | table colA, colB, keyfield | eventstats last(colA) as last_colA, last(colB) as last_colB by keyfield </CODE></PRE> <P>However, for another reason, I need to run the transaction with mvlist=t.<BR /> When I do this, the eventstats function fails, but only for one column.<BR /> In this case, fails for colA, but works fine with colB.</P> <P>I don't get what is the difference, since I'm having the same type of values in both columns.<BR /> If it works for one column, why does it fail for the other one?</P> Tue, 03 Jan 2017 15:19:03 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-quot-eventstats-last-quot-fail-for-one-column-when-I/m-p/217398#M63871 szabados 2017-01-03T15:19:03Z https://community.splunk.com/t5/Splunk-Search/Why-does-quot-eventstats-last-quot-fail-for-one-column-when-I/m-p/217399#M63872 <P>Do you get single value for last_colA and last_colB columns OR multivalued fields? </P> Tue, 29 Sep 2020 12:14:59 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-quot-eventstats-last-quot-fail-for-one-column-when-I/m-p/217399#M63872 somesoni2 2020-09-29T12:14:59Z https://community.splunk.com/t5/Splunk-Search/Why-does-quot-eventstats-last-quot-fail-for-one-column-when-I/m-p/217400#M63873 <P>I am guessing that the issue here is something to do with multivalue fields. </P> <P>A couple of options come to mind, do eventstats first...</P> <P>| eventstats last(colA) as last_colA, last(colB) as last_colB by keyfield<BR /> | transaction keyfield<BR /> | table colA, colB, last_colA, last_colB, keyfield</P> <P>That said transaction and eventstats is REALLY REALLY inefficient. I would suggest eliminating transaction command altogether because it can be a monster resource hog and yield incomplete results when used for high volume searches. Eventstats is pretty brutal too.</P> <P>Alternatives...</P> <P>| stats list(colA) AS colA last(colA) as last_colA list(colB) AS colB last(colB) as last_colB by keyfield</P> <P>OR </P> <P>| stats list(colA) AS colA list(colB) AS colB by keyfield<BR /> | eval last_colA=mvindex(colA,-1)<BR /> | eval last_colB=mvindex(colB,-1)</P> <P>Let me know if this works and relative performance.</P> Tue, 29 Sep 2020 12:18:03 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-quot-eventstats-last-quot-fail-for-one-column-when-I/m-p/217400#M63873 snoobzilla 2020-09-29T12:18:03Z https://community.splunk.com/t5/Splunk-Search/Why-does-quot-eventstats-last-quot-fail-for-one-column-when-I/m-p/217401#M63874 <P>Did you sort this out?</P> Mon, 16 Jan 2017 16:51:55 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-quot-eventstats-last-quot-fail-for-one-column-when-I/m-p/217401#M63874 snoobzilla 2017-01-16T16:51:55Z