Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Fill empty fields backwards with streamstats

Kristian_86
Explorer
‎10-19-2023 05:45 AM

Hi,
I have the following issue:
Have many events with different document_number+datetime_type, which have a field (started_on).
There is always 4 different types / document_number.
Then 4 new timestamp fields are evaluated by the type and the timestamp, so each event will have 1 new filled timestamp in a different field.

Kristian_86_1-1697724054777.png

Now I need to fill the empty ones from the evaluated ones for the same document_number.
With streamstats I was able to fill them further (after found), but not backwards.

Kristian_86_3-1697719333839.png

Kristian_86_0-1697724019797.png

Is it possible somehow?
Or only if I do | reverse and apply streamstats again?

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-19-2023 07:01 AM

Try eventstats instead of stats if you want to keep the original events

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-19-2023 06:43 AM

Why not just use stats (instead of streamstats)?

0 Karma
Reply
Solved! Jump to solution

Kristian_86
Explorer
‎10-19-2023 06:57 AM

like? Could you please provide an example?
If I will use stats it will merge the 4 events into 1 or not fill the empty ones / document type
The main key fields are document_number and document_type which are required further.
So with:

  • | stats max(timestamp1) as timestamp1, max(timestamp2) as timestamp2, ... by document_number
    will unify the events by document_number which is not what I would like to achieve as there are many other fields required, which are not shown in the example.
  • | stats max(timestamp1) as timestamp1, max(timestamp2) as timestamp2, .. by document_number, document_type
    will do nothing as will select the event from itself and leave the empty fields empty.

P.S.: sorry I forgot to add the datetime_type to the example pictures, will add them.

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-19-2023 07:01 AM

Try eventstats instead of stats if you want to keep the original events

Reply
Solved! Jump to solution

Kristian_86
Explorer
‎10-19-2023 07:03 AM

Working as expected, thank you 🙂

Kristian_86_0-1697724179531.png

 

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...