Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Extract field from group with minimum timestamp

agh
Explorer
‎03-17-2021 04:06 AM

agh_0-1615978991460.png

 

I have a query like this where i group by REQUEST_ID

 

eventtype=sfdc-event-log EVENT_TYPE="ApexTrigger" REQUEST_ID!="" | stats sum(EXEC_TIME) as e1, min(TIMESTAMP_DERIVED) as e2 by REQUEST_ID | eval e1=e1/1000 | sort -e1

 

I would like to add a new field in this output called TRIGGER_TYPE and display only that trigger_type from each group which has the minimum TIMESTAMP_DERIVED field (e2). (Note that TIMESTAMP_DERIVED is my custom timestamp field)

 

I see I can get a list of all the trigger types in each group with list(TRIGGER_TYPE) but i only want the TRIGGER_TYPE which has a specific value for the TIMESTAMP_DERIVED field.

Any ideas on how this can be achieved?

Labels (2)
Labels
0 Karma
Reply

manjunathmeti
Champion
‎03-17-2021 04:34 AM

hi @agh,
Try this:

eventtype=sfdc-event-log EVENT_TYPE="ApexTrigger" REQUEST_ID!="" | eventstats min(TIMESTAMP_DERIVED) as TIMESTAMP_DERIVED_min by REQUEST_ID | eval trigger_type_min=if(TIMESTAMP_DERIVED=TIMESTAMP_DERIVED_min, TRIGGER_TYPE, "") | stats sum(EXEC_TIME) as e1, min(TIMESTAMP_DERIVED) as e2, max(trigger_type_min) as TRIGGER_TYPE by REQUEST_ID | eval e1=e1/1000 | sort -e1

 

If this reply helps you, an upvote/like would be appreciated.

0 Karma
Reply

agh
Explorer
‎03-17-2021 07:59 AM

this doesnt seem to give correct output, and also takes a lot of time to process (5+ min)

0 Karma
Reply

aasabatini
Motivator
‎03-17-2021 04:28 AM

Hi

after stats comand please create your triggered_time field with eval:

| eval TRIGGER_TYPE=if[please here create your condition with e2 fields]

https://splunkonbigdata.com/2018/08/26/usage-of-splunk-eval-function-if/

after this order your output with  a table comand or other stats comand

 

 

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma
Reply

agh
Explorer
‎03-17-2021 04:41 AM

agh_0-1615981155116.png

I tried this 

eventtype=sfdc-event-log EVENT_TYPE="ApexTrigger" REQUEST_ID!="" | stats sum(EXEC_TIME) as e1, min(TIMESTAMP_DERIVED) as e2 by REQUEST_ID | eval a1=if(TIMESTAMP_DERIVED==e2, TRIGGER_TYPE, "not_first") | eval e1=e1/1000 | sort -e1

 

trying to output TRIGGER_TYPE field, but a1 is always "not_first". I tried changing the true false outputs, but looks like the field TRIGGER_TYPE is not outputted

 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...