Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Extract field from group with minimum timestamp

agh
Explorer
‎03-17-2021 04:06 AM

agh_0-1615978991460.png

 

I have a query like this where i group by REQUEST_ID

 

eventtype=sfdc-event-log EVENT_TYPE="ApexTrigger" REQUEST_ID!="" | stats sum(EXEC_TIME) as e1, min(TIMESTAMP_DERIVED) as e2 by REQUEST_ID | eval e1=e1/1000 | sort -e1

 

I would like to add a new field in this output called TRIGGER_TYPE and display only that trigger_type from each group which has the minimum TIMESTAMP_DERIVED field (e2). (Note that TIMESTAMP_DERIVED is my custom timestamp field)

 

I see I can get a list of all the trigger types in each group with list(TRIGGER_TYPE) but i only want the TRIGGER_TYPE which has a specific value for the TIMESTAMP_DERIVED field.

Any ideas on how this can be achieved?

Labels (2)
Labels
0 Karma
Reply

manjunathmeti
Champion
‎03-17-2021 04:34 AM

hi @agh,
Try this:

eventtype=sfdc-event-log EVENT_TYPE="ApexTrigger" REQUEST_ID!="" | eventstats min(TIMESTAMP_DERIVED) as TIMESTAMP_DERIVED_min by REQUEST_ID | eval trigger_type_min=if(TIMESTAMP_DERIVED=TIMESTAMP_DERIVED_min, TRIGGER_TYPE, "") | stats sum(EXEC_TIME) as e1, min(TIMESTAMP_DERIVED) as e2, max(trigger_type_min) as TRIGGER_TYPE by REQUEST_ID | eval e1=e1/1000 | sort -e1

 

If this reply helps you, an upvote/like would be appreciated.

0 Karma
Reply

agh
Explorer
‎03-17-2021 07:59 AM

this doesnt seem to give correct output, and also takes a lot of time to process (5+ min)

0 Karma
Reply

aasabatini
Motivator
‎03-17-2021 04:28 AM

Hi

after stats comand please create your triggered_time field with eval:

| eval TRIGGER_TYPE=if[please here create your condition with e2 fields]

https://splunkonbigdata.com/2018/08/26/usage-of-splunk-eval-function-if/

after this order your output with  a table comand or other stats comand

 

 

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma
Reply

agh
Explorer
‎03-17-2021 04:41 AM

agh_0-1615981155116.png

I tried this 

eventtype=sfdc-event-log EVENT_TYPE="ApexTrigger" REQUEST_ID!="" | stats sum(EXEC_TIME) as e1, min(TIMESTAMP_DERIVED) as e2 by REQUEST_ID | eval a1=if(TIMESTAMP_DERIVED==e2, TRIGGER_TYPE, "not_first") | eval e1=e1/1000 | sort -e1

 

trying to output TRIGGER_TYPE field, but a1 is always "not_first". I tried changing the true false outputs, but looks like the field TRIGGER_TYPE is not outputted

 

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...