Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Fill empty fields backwards with streamstats

Kristian_86
Explorer
‎10-19-2023 05:45 AM

Hi,
I have the following issue:
Have many events with different document_number+datetime_type, which have a field (started_on).
There is always 4 different types / document_number.
Then 4 new timestamp fields are evaluated by the type and the timestamp, so each event will have 1 new filled timestamp in a different field.

Kristian_86_1-1697724054777.png

Now I need to fill the empty ones from the evaluated ones for the same document_number.
With streamstats I was able to fill them further (after found), but not backwards.

Kristian_86_3-1697719333839.png

Kristian_86_0-1697724019797.png

Is it possible somehow?
Or only if I do | reverse and apply streamstats again?

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-19-2023 07:01 AM

Try eventstats instead of stats if you want to keep the original events

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-19-2023 06:43 AM

Why not just use stats (instead of streamstats)?

0 Karma
Reply
Solved! Jump to solution

Kristian_86
Explorer
‎10-19-2023 06:57 AM

like? Could you please provide an example?
If I will use stats it will merge the 4 events into 1 or not fill the empty ones / document type
The main key fields are document_number and document_type which are required further.
So with:

  • | stats max(timestamp1) as timestamp1, max(timestamp2) as timestamp2, ... by document_number
    will unify the events by document_number which is not what I would like to achieve as there are many other fields required, which are not shown in the example.
  • | stats max(timestamp1) as timestamp1, max(timestamp2) as timestamp2, .. by document_number, document_type
    will do nothing as will select the event from itself and leave the empty fields empty.

P.S.: sorry I forgot to add the datetime_type to the example pictures, will add them.

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-19-2023 07:01 AM

Try eventstats instead of stats if you want to keep the original events

Reply
Solved! Jump to solution

Kristian_86
Explorer
‎10-19-2023 07:03 AM

Working as expected, thank you 🙂

Kristian_86_0-1697724179531.png

 

0 Karma
Reply
Get Updates on the Splunk Community!

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...

Splunk New Course Releases for a Changing World

Every day, the world feels like it’s moving faster with new technological breakthroughs, AI innovation, and ...