Solved: Add latest field with a filter to table that also ...

mrminks · ‎10-16-2024

Hi All, newbie here - Sorry if my subject is poorly worded, I'm a little confused!

I'm trying to add a field to the table below that will show how long it's been since the last test failed. This table also contains a column that shows the last time a test ran (pass or fail). Here's a picture.

Here's my current search:

index="redacted" | rex field=runtime "^(?<seconds>\w*.\w*)" |stats latest(result), latest(_time) as last_checked, latest(runtime) as lastRuntime, avg(seconds) as averageRuntime by test
| eval averageRuntime=round(averageRuntime,0)
| strcat averageRuntime f2 " seconds." field3 averageRuntime
| `timesince(last_checked,last_checked)`

Any ideas or tips are greatly appreciated. Thanks in Advance.

ITWhisperer · ‎10-16-2024

Try something like this

|stats latest(result), latest(eval(if(result="failed",_time,null()))) as last_failed, latest(_time) as last_checked, latest(runtime) as lastRuntime, avg(seconds) as averageRuntime by test

View solution in original post

mrminks · ‎10-16-2024

Wow this is exactly what I wanted! I spent hours trying to figure this out. Thanks again for the clear instructions

ITWhisperer · ‎10-16-2024

Try something like this

|stats latest(result), latest(eval(if(result="failed",_time,null()))) as last_failed, latest(_time) as last_checked, latest(runtime) as lastRuntime, avg(seconds) as averageRuntime by test

Add latest field with a filter to table that also displays unfiltered rows

stats

table

Splunk Search APIを使えば調査過程が残せます

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation