Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Filter to last value for each day

ruhtraeel
Path Finder
‎01-06-2020 05:04 PM

Hello,
I have a query like this:

action="dateAccuracy" OR action="updateDate->handleEvent[dateAccuracy]" | reverse | streamstats sum(total_dates_correct) as totalDatesCorrectRunning, sum(total_datetypes) as totalDatesRunning | eval runningAverage=round((totalDatesCorrectRunning/totalDatesRunning)*100, 2) | stats values(runningAverage) by _time | stats earliest("values(runningAverage)") by _time

The result looks like this:

_time earliest(values(runningAverage))
2019-10-21 07:06:06 15.93
2019-10-21 07:06:08 15.97
2019-10-21 07:06:10 15.94
2019-10-21 07:06:11 16.00
2019-10-22 07:06:11 15.00
2019-10-22 07:08:12 16.77

How would I filter these results to show the last value of earliest(values(runningAverage)) by day?
Ex
_time earliest(values(runningAverage))
2019-10-21 16.00
2019-10-22 16.77

Thanks

Tags (2)
0 Karma
Reply

ruhtraeel
Path Finder
‎01-06-2020 05:42 PM

Figured it out. I just appended this to the end:
| reverse | eval date=strftime(_time,"%x")
| dedup date | reverse

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-10-2020 03:45 AM

@ruhtraeel If your problem is resolved, please accept an answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-06-2020 05:25 PM 
action="dateAccuracy" OR action="updateDate->handleEvent[dateAccuracy]" | reverse | streamstats sum(total_dates_correct) as totalDatesCorrectRunning, sum(total_datetypes) as totalDatesRunning | eval runningAverage=round((totalDatesCorrectRunning/totalDatesRunning)*100, 2) | bucket span=1d _time | stats values(runningAverage) by _time | stats earliest("values(runningAverage)") by _time
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...