Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

help on stats command for retrieving _time

jip31
Motivator
‎04-22-2021 03:58 AM

hello

In the stats command below, i try to retrieve the _time values (which is the Splunk timestamp) corresponding to the "Resolver group" column

I succeed to do this replacing the "by ticket_id" clause by an "assignment_group_name" clause but I need to keel my "by ticket_id" clause

| stats values(assignment_group_name) as "Resolver group", dc(assignment_group_name) as "Number of assignment group" by ticket_id

 I tried something like this, but I have just one timestamp

| stats latest(_time) as _time, values(assignment_group_name) as "Resolver group", dc(assignment_group_name) as "Number of assignment group" by ticket_id

Could you help please?

Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-22-2021 04:33 AM

I am not entirely sure what you are trying to achieve - perhaps some sample data and an example of what you are hoping to see would help. Having said that, have you tried having more than one dimension to the by clause e.g. 

| stats latest(_time) as _time by ticket_id assignment_group_name
0 Karma
Reply

jip31
Motivator
‎04-22-2021 07:25 AM

not good

a same ticket_id has many assinment group with many different times

that's the reason why we can use "by ticket_id" like explained

Tags (1)
0 Karma
Reply

jip31
Motivator
‎04-22-2021 09:34 AM

Actually, I have 3 columns

"Ticket Number"  "Resolver group"  "Count"

AAAAAAAAAAA     123                               3

                                       456

                                       789

As you can see, a ticket number can have different resolver group

In front of each Resolver group I would like to have the timestamp of the event because if there is for example 3 resolver group it means that 3 events exists

 

Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-22-2021 09:51 AM

Can the same resolver group appear in your events for the same ticket number? If so, which time do you want to keep, or do you want all the events (with time and associated resolver group)?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-22-2021 07:30 AM

perhaps some sample data and an example of what you are hoping to see would help.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...