Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to Sum Latest and Previous Field1 from multiple Field2.

keanhong
New Member
‎05-05-2019 08:48 PM

Hi All,

I have a problem to form the logic for sorting Latest and Previous Data to compare.
Looking Field1=Status , and Field2=ID and sort by Latest compare with Previous.

Search and Filter Data as below.
Event 1 -> Time=10:02AM , Field1=100 , Field2=1
Event 2 -> Time=10:01AM, Field1=50, Field2=2

Event 3 -> Time=9:25AM, Field1=80, Field2=1
Event 4 -> Time=9:24AM, Field1=40, Field2=2

Event 5 -> Time=9:05AM, Field1=70, Field2=1
Event 6 -> Time=9:02AM, Field1=20, Field2=2

End Result
Total Field1=150(which sum from 100+50) by picking latest from Field2=1&2.
And compare previous result Field1=120(which sum from 80+40) by picking 2nd latest from Field2=1&2.

My objective is to present the values different for Single Value Visualization.

Thanks.

0 Karma
Reply

woodcock
Esteemed Legend
‎05-06-2019 04:52 PM

So the right answer is 30, right? Try this:

| makeresults 
| eval raw="_time=10:02AM,Field1=100,Field2=1 _time=10:01AM,Field1=50,Field2=2 _time=9:25AM,Field1=80,Field2=1 _time=9:24AM,Field1=40,Field2=2 _time=9:05AM,Field1=70,Field2=1 _time=9:02AM,Field1=20,Field2=2" 
| makemv raw 
| mvexpand raw 
| rename raw AS _raw
| kv
| eval _time = strptime(time, "%H:%M%p")
| sort 0 - _time

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| streamstats count(eval(Field2==1)) AS sessionID
| stats sum(Field1) AS Field1 BY sessionID
| head 2
| stats range(Field1)
0 Karma
Reply

keanhong
New Member
‎05-06-2019 06:27 PM

Hi First of all, thanks for responding this.
Might be i miss interpret my question.

I'm collecting the event from 2 Devices and sum up their sessions count to present in Single Value Visualization Chart. So every 10 minutes the Splunk will receive the message from our poller.

Thus in order to present in the Single Value Visulization i need latest and 2nd latest for the chart to compare and return the result.

0 Karma
Reply

woodcock
Esteemed Legend
‎05-06-2019 07:07 PM

Give a mockup of what you expect the result to be given the raw event data that you showed in the question.

0 Karma
Reply

keanhong
New Member
‎05-06-2019 07:12 PM

alt text

This is the single value chart that i expect in the end.
Maybe i basic understanding of splunk not that well. Apologize for this.

0 Karma
Reply

woodcock
Esteemed Legend
‎05-11-2019 12:02 PM

No, show me some of the actual events and then show me the data you expect to be generated on the stats page (not the visualization page).

0 Karma
Reply

Sukisen1981
Champion
‎05-05-2019 11:46 PM

Try this - 

<your index>| head 4
| streamstats count as row
| streamstats current=f window=1 last(Field1) as prev_field1,last(Field2) as prev_field2
| table row,Field1,prev_field1,Field2,prev_field2
| eval tot_fld1=if(row=2,Field1+prev_field1,0),tot_fld2=if(row=4,Field1+prev_field1,0)
| stats sum(tot_fld1) as field1_latest,sum(tot_fld2) as field1_second_latest

Choose trellis layout in single value viz.

0 Karma
Reply

keanhong
New Member
‎05-06-2019 06:28 PM

Hi, this is very close. I tried but somethings the result return in opposite and possible that we dont use the trellis? I tried few ways to edit based on the logic you given but still failed to produce it.

But thanks alot for responding!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...