Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Fill empty fields backwards with streamstats

Kristian_86
Explorer
‎10-19-2023 05:45 AM

Hi,
I have the following issue:
Have many events with different document_number+datetime_type, which have a field (started_on).
There is always 4 different types / document_number.
Then 4 new timestamp fields are evaluated by the type and the timestamp, so each event will have 1 new filled timestamp in a different field.

Kristian_86_1-1697724054777.png

Now I need to fill the empty ones from the evaluated ones for the same document_number.
With streamstats I was able to fill them further (after found), but not backwards.

Kristian_86_3-1697719333839.png

Kristian_86_0-1697724019797.png

Is it possible somehow?
Or only if I do | reverse and apply streamstats again?

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-19-2023 07:01 AM

Try eventstats instead of stats if you want to keep the original events

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-19-2023 06:43 AM

Why not just use stats (instead of streamstats)?

0 Karma
Reply
Solved! Jump to solution

Kristian_86
Explorer
‎10-19-2023 06:57 AM

like? Could you please provide an example?
If I will use stats it will merge the 4 events into 1 or not fill the empty ones / document type
The main key fields are document_number and document_type which are required further.
So with:

  • | stats max(timestamp1) as timestamp1, max(timestamp2) as timestamp2, ... by document_number
    will unify the events by document_number which is not what I would like to achieve as there are many other fields required, which are not shown in the example.
  • | stats max(timestamp1) as timestamp1, max(timestamp2) as timestamp2, .. by document_number, document_type
    will do nothing as will select the event from itself and leave the empty fields empty.

P.S.: sorry I forgot to add the datetime_type to the example pictures, will add them.

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-19-2023 07:01 AM

Try eventstats instead of stats if you want to keep the original events

Reply
Solved! Jump to solution

Kristian_86
Explorer
‎10-19-2023 07:03 AM

Working as expected, thank you 🙂

Kristian_86_0-1697724179531.png

 

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...