Splunk Search

Change the evaluation direction of streamstats?

Explorer

The streamstats last function is very close to a very important tool in my workflow; however, I would like it to evaluate in the opposite direction. My first thought was to use first, but that is definitely not the opposite of last in Splunk parlance as last continues to evaluate as one would expect of a streamstat, whereas first only repeats the single first seen value even if additional values are encountered in the stream.

Specifically, if an event table is shown with time descending order where the newest events are at the top of the table, the last function will repeat a value for the newest known until it gets "down" in time to the next known value and repeat that one from there down and so on. In other words, the last function repeats the last known value back in time until it gets to the next last known value. Makes sense!

Problem is, I want the opposite! I want a function that will repeat a known value forward in time until it encounters a newer known value in the stream.

Is there a way to reverse the order of evaluation for streamstats?

Tags (2)
1 Solution

Splunk Employee
Splunk Employee

Just do | sort _time before the streamstats command, and continue to use last()

View solution in original post

Splunk Employee
Splunk Employee

Just do | sort _time before the streamstats command, and continue to use last()

View solution in original post

Explorer

Sort has a limit on how many events it can process, however, so this is not always practical.

0 Karma

Motivator

to avoid the limit use

| sort 0 _time

0 Karma

Explorer

Wonderful, thank you!

0 Karma