Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I get Streamstats to Calculate all Fields?

aohls
Contributor
‎06-21-2018 10:11 AM

I am using the following search which returns a table with three rows:

    | streamstats current=f last(_time) as NewTime first(_time) as LastTask by Item
    | eval Duration=NewTime-_time
    | eval RunTime=(Duration/60)
    | table JobName, RunTime, _time

The issue I am having is that my time is only caluculated for two of the rows, the earliest two. The final record is not calculating a time so I am getting the following:

JobName,RunTime, _time
Name1, ,5:00
Name2,120,4:00
Name3,60,2:00

Is there a way I can force it to calculate the final time?

Tags (1)
0 Karma
Reply

somesoni2
Revered Legend
‎06-21-2018 11:07 AM

The problem is that there is no last(_time) for row appearing first in result (would be the last result if sorted by _time), hence no calculation is done. What should the RunTime value for it?

0 Karma
Reply
Get Updates on the Splunk Community!

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...

What's New in Splunk Observability - October 2025

What’s New?    We’re excited to announce the latest enhancements to Splunk Observability Cloud and share ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...