Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Extract field from group with minimum timestamp

agh
Explorer
‎03-17-2021 04:06 AM

agh_0-1615978991460.png

 

I have a query like this where i group by REQUEST_ID

 

eventtype=sfdc-event-log EVENT_TYPE="ApexTrigger" REQUEST_ID!="" | stats sum(EXEC_TIME) as e1, min(TIMESTAMP_DERIVED) as e2 by REQUEST_ID | eval e1=e1/1000 | sort -e1

 

I would like to add a new field in this output called TRIGGER_TYPE and display only that trigger_type from each group which has the minimum TIMESTAMP_DERIVED field (e2). (Note that TIMESTAMP_DERIVED is my custom timestamp field)

 

I see I can get a list of all the trigger types in each group with list(TRIGGER_TYPE) but i only want the TRIGGER_TYPE which has a specific value for the TIMESTAMP_DERIVED field.

Any ideas on how this can be achieved?

Labels (2)
Labels
0 Karma
Reply

manjunathmeti
Champion
‎03-17-2021 04:34 AM

hi @agh,
Try this:

eventtype=sfdc-event-log EVENT_TYPE="ApexTrigger" REQUEST_ID!="" | eventstats min(TIMESTAMP_DERIVED) as TIMESTAMP_DERIVED_min by REQUEST_ID | eval trigger_type_min=if(TIMESTAMP_DERIVED=TIMESTAMP_DERIVED_min, TRIGGER_TYPE, "") | stats sum(EXEC_TIME) as e1, min(TIMESTAMP_DERIVED) as e2, max(trigger_type_min) as TRIGGER_TYPE by REQUEST_ID | eval e1=e1/1000 | sort -e1

 

If this reply helps you, an upvote/like would be appreciated.

0 Karma
Reply

agh
Explorer
‎03-17-2021 07:59 AM

this doesnt seem to give correct output, and also takes a lot of time to process (5+ min)

0 Karma
Reply

aasabatini
Motivator
‎03-17-2021 04:28 AM

Hi

after stats comand please create your triggered_time field with eval:

| eval TRIGGER_TYPE=if[please here create your condition with e2 fields]

https://splunkonbigdata.com/2018/08/26/usage-of-splunk-eval-function-if/

after this order your output with  a table comand or other stats comand

 

 

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma
Reply

agh
Explorer
‎03-17-2021 04:41 AM

agh_0-1615981155116.png

I tried this 

eventtype=sfdc-event-log EVENT_TYPE="ApexTrigger" REQUEST_ID!="" | stats sum(EXEC_TIME) as e1, min(TIMESTAMP_DERIVED) as e2 by REQUEST_ID | eval a1=if(TIMESTAMP_DERIVED==e2, TRIGGER_TYPE, "not_first") | eval e1=e1/1000 | sort -e1

 

trying to output TRIGGER_TYPE field, but a1 is always "not_first". I tried changing the true false outputs, but looks like the field TRIGGER_TYPE is not outputted

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...