I would like have some advice with the search command.
If I have 3 records like below and each record contains some fields A,B
_time A B
5/13/2014 05:00 5/13/2014 00:00 4
5/13/2014 01:00 5/13/2014 03:00 3
5/11/2014 00:00 5/12/2014 01:00 2
Above records is in summary index.
My goal is to search 3 of field B where the time of field A is the latest.
And want to implement this in search command.
I know I can do this by changing the _time to A
| eval _time = strptime(xxxxxx)
| stats latest(B)
But I already have a stat using the current _time
| stats sum(B)
Somehow I want to combine two stat in very effective manner.
So if something like vlookup of excel is possible it would be easy but its not possible.
| stat latest(A)
| lookup [latest(A)] OUTPUT field B <- Dont want to create the lookup table.
Any idea of how to implement this with splunk ver 5.0.5?
As i see you
"Dont want to create the lookup table.". And even you run on million records there will be only one value which is the latest A. And as i see you require the A from dynamic set of record not static lookup will help. You may need to calculate the latest A on basis of day or hour and use |outputlookup and append the values to lookup file. Then you use the inputlookup to find B. or you may also MAP command to achieve the same