The streamstats last function is very close to a very important tool in my workflow; however, I would like it to evaluate in the opposite direction. My first thought was to use first, but that is definitely not the opposite of last in Splunk parlance as last continues to evaluate as one would expect of a streamstat, whereas first only repeats the single first seen value even if additional values are encountered in the stream.
Specifically, if an event table is shown with time descending order where the newest events are at the top of the table, the last function will repeat a value for the newest known until it gets "down" in time to the next known value and repeat that one from there down and so on. In other words, the last function repeats the last known value back in time until it gets to the next last known value. Makes sense!
Problem is, I want the opposite! I want a function that will repeat a known value forward in time until it encounters a newer known value in the stream.
Is there a way to reverse the order of evaluation for streamstats?
Just do | sort _time
before the streamstats command, and continue to use last()
Just do | sort _time
before the streamstats command, and continue to use last()
Sort has a limit on how many events it can process, however, so this is not always practical.
to avoid the limit use
| sort 0 _time
Wonderful, thank you!