Solved: Fill empty fields backwards with streamstats

Kristian_86 · ‎10-19-2023

Hi,
I have the following issue:
Have many events with different document_number+datetime_type, which have a field (started_on).
There is always 4 different types / document_number.
Then 4 new timestamp fields are evaluated by the type and the timestamp, so each event will have 1 new filled timestamp in a different field.

Now I need to fill the empty ones from the evaluated ones for the same document_number.
With streamstats I was able to fill them further (after found), but not backwards.

Is it possible somehow?
Or only if I do | reverse and apply streamstats again?

ITWhisperer · ‎10-19-2023

Try eventstats instead of stats if you want to keep the original events

View solution in original post

ITWhisperer · ‎10-19-2023

Why not just use stats (instead of streamstats)?

Kristian_86 · ‎10-19-2023

like? Could you please provide an example?
If I will use stats it will merge the 4 events into 1 or not fill the empty ones / document type
The main key fields are document_number and document_type which are required further.
So with:

| stats max(timestamp1) as timestamp1, max(timestamp2) as timestamp2, ... by document_number
will unify the events by document_number which is not what I would like to achieve as there are many other fields required, which are not shown in the example.
| stats max(timestamp1) as timestamp1, max(timestamp2) as timestamp2, .. by document_number, document_type
will do nothing as will select the event from itself and leave the empty fields empty.

P.S.: sorry I forgot to add the datetime_type to the example pictures, will add them.

ITWhisperer · ‎10-19-2023

Try eventstats instead of stats if you want to keep the original events

Kristian_86 · ‎10-19-2023

Working as expected, thank you 🙂

Fill empty fields backwards with streamstats

eval

stats

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector