Splunk Search

How can I get the content of a latest event's field and use it in aggregation without data loss?

qinglinms
Explorer

I have following events:

TicketId      SplunkTimeStamp   Version
6.1608E+14  8/5/2016 8:32     16
6.1608E+14  8/4/2016 9:40   
6.1608E+14  8/4/2016 8:50   
6.1608E+14  8/4/2016 23:44   16
6.1608E+14  8/4/2016 8:00   
6.1608E+14  8/4/2016 7:10   

I want to get the total number of tickets by Version. Since some of the earlier events of the ticket do not have Version, to avoid a double count, I did:

index=events |eventstats latest(Version)  as V by TickettId|stats dc(TicketId) as Total by V

However, the Total did not count the ticket having one event and with a version, such as

TicketId    SplunkTimeStamp Version
11111111    8/4/2016 10:44   16
22222222    8/3/2016 10:44     15

So the total number is less than expected.

0 Karma
1 Solution

JDukeSplunk
Builder

I don't know if I fully understand. Does the same ticket have multiple versions that increment? And you want to count the latest version of that particular ticket? If so, "max" might work

index=events  |eventstats max(Version) as V by TickettId |stats count(V) as COUNT by V TickettId 

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Give this a try

index=events | reverse | filldown V |eventstats latest(Version) as V by TickettId|stats dc(TicketId) as Total by V
0 Karma

somesoni2
SplunkTrust
SplunkTrust

@qinglinms,

Not sure if you tried my solution and (after it worked for you) accepted the answer. If @JDukeSplunk is what you're implementing, go ahead and accept that answer (converted his comment to answer).

JDukeSplunk
Builder

I don't know if I fully understand. Does the same ticket have multiple versions that increment? And you want to count the latest version of that particular ticket? If so, "max" might work

index=events  |eventstats max(Version) as V by TickettId |stats count(V) as COUNT by V TickettId 

qinglinms
Explorer

max works!

0 Karma

qinglinms
Explorer

Thanks JDukeSplunk!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...