Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

help on stats command for retrieving _time

jip31
Motivator
‎04-22-2021 03:58 AM

hello

In the stats command below, i try to retrieve the _time values (which is the Splunk timestamp) corresponding to the "Resolver group" column

I succeed to do this replacing the "by ticket_id" clause by an "assignment_group_name" clause but I need to keel my "by ticket_id" clause

| stats values(assignment_group_name) as "Resolver group", dc(assignment_group_name) as "Number of assignment group" by ticket_id

 I tried something like this, but I have just one timestamp

| stats latest(_time) as _time, values(assignment_group_name) as "Resolver group", dc(assignment_group_name) as "Number of assignment group" by ticket_id

Could you help please?

Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-22-2021 04:33 AM

I am not entirely sure what you are trying to achieve - perhaps some sample data and an example of what you are hoping to see would help. Having said that, have you tried having more than one dimension to the by clause e.g. 

| stats latest(_time) as _time by ticket_id assignment_group_name
0 Karma
Reply

jip31
Motivator
‎04-22-2021 07:25 AM

not good

a same ticket_id has many assinment group with many different times

that's the reason why we can use "by ticket_id" like explained

Tags (1)
0 Karma
Reply

jip31
Motivator
‎04-22-2021 09:34 AM

Actually, I have 3 columns

"Ticket Number"  "Resolver group"  "Count"

AAAAAAAAAAA     123                               3

                                       456

                                       789

As you can see, a ticket number can have different resolver group

In front of each Resolver group I would like to have the timestamp of the event because if there is for example 3 resolver group it means that 3 events exists

 

Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-22-2021 09:51 AM

Can the same resolver group appear in your events for the same ticket number? If so, which time do you want to keep, or do you want all the events (with time and associated resolver group)?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-22-2021 07:30 AM

perhaps some sample data and an example of what you are hoping to see would help.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk MCP & Agentic AI: Machine Data Without Limits

  Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization ...

Finding Based Detections General Availability

Overview  We’ve come a long way, folks, but here in Enterprise Security 8.4 I’m happy to announce Finding ...

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Hands-On Learning and Technical Seminars  Sometimes, you just need to see the code. For those looking for a ...