Archive

How to extract date of the latest event after group by?

Explorer

Hi Team,

I am facing issue after using group by clause. (Need date of the grouped event in DD-MM-YYYY )

The search that I am using is below:

index="test_mulesoft"  sourcetype="SFTP-Highradius" 61c1bf00-45e7-11e9-bb4e-12376871b014 | rex field=_raw "corelationid.*:\W+(?.*)\"" | stats count as result values(numberOfRequests) as request_id by numberOfRequests, | eval result = if (result==2,"SUCCESS","ERROR REPORTED")  | table request_id,result,DateTime

Basically, I am grouping with correlation id, once grouped i need timestamp of any event. (Screenshot below)

Tags (2)
0 Karma
1 Solution

Communicator

after your |stats count ... you will lose your field DateTime.
You can use eventstats instead of stats which will hold all your fields.

To make things clear: does your search results all have the same value for DateTime? Then you could add DateTime to your by clause in your stats command

index="test_mulesoft" sourcetype="SFTP-Highradius" 61c1bf00-45e7-11e9-bb4e-12376871b014 | rex field=_raw "corelationid.:\W+(?.)\"" | stats count as result values(numberOfRequests) as request_id by numberOfRequests DateTime | eval result = if (result==2,"SUCCESS","ERROR REPORTED") | table request_id,result,DateTime

View solution in original post

0 Karma

Communicator

after your |stats count ... you will lose your field DateTime.
You can use eventstats instead of stats which will hold all your fields.

To make things clear: does your search results all have the same value for DateTime? Then you could add DateTime to your by clause in your stats command

index="test_mulesoft" sourcetype="SFTP-Highradius" 61c1bf00-45e7-11e9-bb4e-12376871b014 | rex field=_raw "corelationid.:\W+(?.)\"" | stats count as result values(numberOfRequests) as request_id by numberOfRequests DateTime | eval result = if (result==2,"SUCCESS","ERROR REPORTED") | table request_id,result,DateTime

View solution in original post

0 Karma

Explorer

Thanks for the reply @damann, however after using eventstats command, I am no longer able to get a single entry. however, able to retrieve date.

0 Karma

Explorer

@damann it worked.!! Thank You so much!! I used dedup command to get rid of duplicate entry.

Still in the learning phase. Thanks once again.

index="testmulesoft" sourcetype="SFTP-Highradius" 61c1bf00-45e7-11e9-bb4e-12376871b014 | rex field=raw "corelationid.:\W+(?.)\"" | eventstats latest(numberOfRequests) as requestid by numberOfRequests | dedup requestid | table time,requestid

0 Karma