Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Extract field from group with minimum timestamp

agh
Explorer
‎03-17-2021 04:06 AM

agh_0-1615978991460.png

 

I have a query like this where i group by REQUEST_ID

 

eventtype=sfdc-event-log EVENT_TYPE="ApexTrigger" REQUEST_ID!="" | stats sum(EXEC_TIME) as e1, min(TIMESTAMP_DERIVED) as e2 by REQUEST_ID | eval e1=e1/1000 | sort -e1

 

I would like to add a new field in this output called TRIGGER_TYPE and display only that trigger_type from each group which has the minimum TIMESTAMP_DERIVED field (e2). (Note that TIMESTAMP_DERIVED is my custom timestamp field)

 

I see I can get a list of all the trigger types in each group with list(TRIGGER_TYPE) but i only want the TRIGGER_TYPE which has a specific value for the TIMESTAMP_DERIVED field.

Any ideas on how this can be achieved?

Labels (2)
Labels
0 Karma
Reply

manjunathmeti
Champion
‎03-17-2021 04:34 AM

hi @agh,
Try this:

eventtype=sfdc-event-log EVENT_TYPE="ApexTrigger" REQUEST_ID!="" | eventstats min(TIMESTAMP_DERIVED) as TIMESTAMP_DERIVED_min by REQUEST_ID | eval trigger_type_min=if(TIMESTAMP_DERIVED=TIMESTAMP_DERIVED_min, TRIGGER_TYPE, "") | stats sum(EXEC_TIME) as e1, min(TIMESTAMP_DERIVED) as e2, max(trigger_type_min) as TRIGGER_TYPE by REQUEST_ID | eval e1=e1/1000 | sort -e1

 

If this reply helps you, an upvote/like would be appreciated.

0 Karma
Reply

agh
Explorer
‎03-17-2021 07:59 AM

this doesnt seem to give correct output, and also takes a lot of time to process (5+ min)

0 Karma
Reply

aasabatini
Motivator
‎03-17-2021 04:28 AM

Hi

after stats comand please create your triggered_time field with eval:

| eval TRIGGER_TYPE=if[please here create your condition with e2 fields]

https://splunkonbigdata.com/2018/08/26/usage-of-splunk-eval-function-if/

after this order your output with  a table comand or other stats comand

 

 

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma
Reply

agh
Explorer
‎03-17-2021 04:41 AM

agh_0-1615981155116.png

I tried this 

eventtype=sfdc-event-log EVENT_TYPE="ApexTrigger" REQUEST_ID!="" | stats sum(EXEC_TIME) as e1, min(TIMESTAMP_DERIVED) as e2 by REQUEST_ID | eval a1=if(TIMESTAMP_DERIVED==e2, TRIGGER_TYPE, "not_first") | eval e1=e1/1000 | sort -e1

 

trying to output TRIGGER_TYPE field, but a1 is always "not_first". I tried changing the true false outputs, but looks like the field TRIGGER_TYPE is not outputted

 

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top