Splunk Search

Avoid streamstats truncate to obtain previous value

DanielSp
Explorer

I have a index with the follow data:

KEY_ID, GROUP, DATE

With for example:
1, group1, 2021-06-01
1, group2, 2021-06-02
2, group1, 2021-06-01

...

I want to obtain next date value to show a table like:
1, group1, 2021-06-01,2021-06-02
1, group2, 2021-06-02,NULL

...

I know that I can sort It and use a command like streamstats:

| streamstats current=f last(DATE) as DATENEXT by KEY_ID

But, my issue is that my index have a million of records, so, the results are truncated to 10.000

Is there any way to obtain the DATENEXT without modify limits.conf for streamstats?

Thanks a lot¡

Regards

Labels (3)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Does window=1 help?

| streamstats window=1 current=f last(DATE) as DATENEXT by KEY_ID

View solution in original post

DanielSp
Explorer

Thanks a lot¡

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Does window=1 help?

| streamstats window=1 current=f last(DATE) as DATENEXT by KEY_ID
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...