Solved: Get first and last event by ID

benhooper · ‎08-13-2020

Is there an easy way to get the first and last event by a unique ID?

"transaction" seems to be the way to go but I haven't been able to figure out how to remove the in-between events / values then split them back out into individual events.

benhooper · ‎08-14-2020

I've achieved this with the following search:

<base search>
| dedup case_id, status
| reverse
| streamstats current=f last(status) as lastStatus by case_id
| eval firstEvent = if((status == "new" OR status == "in_progress") AND isnull(lastStatus), "True", "False")
| eval lastEvent = if(match(status, "resolved"), "True", "False")
| where firstEvent == "True" OR lastEvent  == "True"
| <other stuff>

View solution in original post

richgalloway · ‎08-13-2020

Have you tried stats?

... | stats earliest(_raw) as firstEvent, latest(_raw) as lastEvent by foo

---
If this reply helps you, Karma would be appreciated.

benhooper · ‎08-14-2020

Thanks for that.

It does sort of work but there's a few issues:

It splits the events into columns but I need to use things like "streamstats" on each of the events and I'm unsure whether that's possible with this.
Sometimes each unique ID only has 1 event and this duplicates them.

benhooper · ‎08-14-2020

I've achieved this with the following search:

<base search>
| dedup case_id, status
| reverse
| streamstats current=f last(status) as lastStatus by case_id
| eval firstEvent = if((status == "new" OR status == "in_progress") AND isnull(lastStatus), "True", "False")
| eval lastEvent = if(match(status, "resolved"), "True", "False")
| where firstEvent == "True" OR lastEvent  == "True"
| <other stuff>

Get first and last event by ID

table

transaction

Splunk Observability as Code: From Zero to Dashboard

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Shape the Future of Splunk: Join the Product Research Lab!

Are you a member of the Splunk Community?