Splunk Search
Highlighted

How can I get the content of a latest event's field and use it in aggregation without data loss?

Explorer

I have following events:

TicketId      SplunkTimeStamp   Version
6.1608E+14  8/5/2016 8:32     16
6.1608E+14  8/4/2016 9:40   
6.1608E+14  8/4/2016 8:50   
6.1608E+14  8/4/2016 23:44   16
6.1608E+14  8/4/2016 8:00   
6.1608E+14  8/4/2016 7:10   

I want to get the total number of tickets by Version. Since some of the earlier events of the ticket do not have Version, to avoid a double count, I did:

index=events |eventstats latest(Version)  as V by TickettId|stats dc(TicketId) as Total by V

However, the Total did not count the ticket having one event and with a version, such as

TicketId    SplunkTimeStamp Version
11111111    8/4/2016 10:44   16
22222222    8/3/2016 10:44     15

So the total number is less than expected.

0 Karma
Highlighted

Re: How can I get the content of a latest event's field and use it in aggregation without data loss?

Builder

I don't know if I fully understand. Does the same ticket have multiple versions that increment? And you want to count the latest version of that particular ticket? If so, "max" might work

index=events  |eventstats max(Version) as V by TickettId |stats count(V) as COUNT by V TickettId 

View solution in original post

Highlighted

Re: How can I get the content of a latest event's field and use it in aggregation without data loss?

Explorer

max works!

0 Karma
Highlighted

Re: How can I get the content of a latest event's field and use it in aggregation without data loss?

Explorer

Thanks JDukeSplunk!

0 Karma
Highlighted

Re: How can I get the content of a latest event's field and use it in aggregation without data loss?

SplunkTrust
SplunkTrust

Give this a try

index=events | reverse | filldown V |eventstats latest(Version) as V by TickettId|stats dc(TicketId) as Total by V
0 Karma
Highlighted

Re: How can I get the content of a latest event's field and use it in aggregation without data loss?

SplunkTrust
SplunkTrust

@qinglinms,

Not sure if you tried my solution and (after it worked for you) accepted the answer. If @JDukeSplunk is what you're implementing, go ahead and accept that answer (converted his comment to answer).