Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to add the latest field value from two hosts?

EricLloyd79
Builder
‎12-14-2015 01:18 PM

This is probably going to be a simple answer, but I've racked my brain over it for more time than I should have.

I have two hosts. I want to add together the two latest values of a particular field.
I know I can use latest(field) to get the latest value and I can do latest(field) by host to see the latest field per host.
However, I cannot do sum(latest(field)) by host of which I was hoping would work.

I cannot use latest(field) in an eval statement to use the + functionality.

Any ideas?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎12-14-2015 04:06 PM

Try this!

yoursearchhere host=hostA OR host=hostB
| stats latest(myField) as latestValue by host
| stats sum(latestValue) as Total

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎12-14-2015 04:06 PM

Try this!

yoursearchhere host=hostA OR host=hostB
| stats latest(myField) as latestValue by host
| stats sum(latestValue) as Total
Reply
Solved! Jump to solution

EricLloyd79
Builder
‎12-15-2015 08:25 AM

Thank you again for your answer. Is there a way to put it into a timechart span=1d? I have tried to convert it to
stats latest(requests) as latestRequests by host | timechart span=1d sum(latestRequests) as Total
but that doesnt return any results. Also tried adding timechart at the end after the second stat
I guess stats and timechart can't be mixed... so I'd have to find a way to do the stats functionality with timechart?

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎12-15-2015 02:49 PM

If you want to see the latest requests for each day, you could do it this way

yoursearchhere host=hostA OR host=hostB
| eval date=strftime(_time,"%x")
| stats latest(requests) as latestRequests by host date
| chart sum(latestRequests) as Total by date

The problem is that stats is a summarizing command and timechart needs the time of the event... so you have to figure out a way to do both. This is the best I've thought of so far.

Reply
Solved! Jump to solution

EricLloyd79
Builder
‎12-17-2015 09:21 AM

Thanks for all your help. That worked like a charm.

0 Karma
Reply
Solved! Jump to solution

EricLloyd79
Builder
‎12-15-2015 07:28 AM

Thank you so much! Worked perfectly. I knew it had something to do with multiple instances of stats.

0 Karma
Reply
Get Updates on the Splunk Community!

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...
Top