Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Group by oldest Date

anava
New Member
‎04-02-2013 11:38 AM

Search:
stats count by filingType, application, recDate

filingType application recDate count

MN-CORP-FILING LACERTE 2013-03-31 1

MN-CORP-FILING LACERTE 2013-04-01 2

I need to group by oldest recDate so results look like this:

filingType application recDate count

MN-CORP-FILING LACERTE 2013-03-31 3

Tags (1)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎04-02-2013 01:14 PM

You should use stats in a slightly different manner. The problem is that you are now grouping by a field that will have different values, namely the recDate.

Instead you should only group by the first two, and just attach the lowest/earliest value of date for every combination of filingType and application, along with the count. If your recDate is in the format you specify you may need to alter that a bit for sorting purposes.

Alternative A (this assumes that events you have came in chronologically, which makes the last retrieved event have the earliest recDate - remember that a search always returns the newest events first);

...| stats c last(recDate) as recDate by filingType, application

Alternative B (which may be just as good, though just a little longer query);

...| eval rd = strptime(recDate, "%Y-%m-%d") | stats c min(rd) as recDate by filingType, application | eval recDate = strftime(recDate, "%Y-%m-%d")

This converts the date string into epoch for each event, which makes it easy to find the min() of that. Then it's converted back to a string for presentation purposes.

EDIT: typos and errors

Hope this helps,

Kristian

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-02-2013 12:31 PM

You can get the minimum of a field using eventstats: http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/eventstats

0 Karma
Reply

tgow
Splunk Employee
Splunk Employee
‎04-02-2013 12:17 PM

I would check the "sort" command. You can append your search with the following:

| sort recDate

Hope that helps.

0 Karma
Reply

anava
New Member
‎04-02-2013 12:27 PM

That command does not work. In SQL it would read this way:
group by filingType, application, min(recDate)

I need a way of using MIN in splunk

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...