- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to add the latest field value from two hosts?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is probably going to be a simple answer, but I've racked my brain over it for more time than I should have.
I have two hosts. I want to add together the two latest values of a particular field.
I know I can use latest(field) to get the latest value and I can do latest(field) by host to see the latest field per host.
However, I cannot do sum(latest(field)) by host of which I was hoping would work.
I cannot use latest(field) in an eval statement to use the + functionality.
Any ideas?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this!
yoursearchhere host=hostA OR host=hostB
| stats latest(myField) as latestValue by host
| stats sum(latestValue) as Total
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this!
yoursearchhere host=hostA OR host=hostB
| stats latest(myField) as latestValue by host
| stats sum(latestValue) as Total
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you again for your answer. Is there a way to put it into a timechart span=1d? I have tried to convert it to
stats latest(requests) as latestRequests by host | timechart span=1d sum(latestRequests) as Total
but that doesnt return any results. Also tried adding timechart at the end after the second stat
I guess stats and timechart can't be mixed... so I'd have to find a way to do the stats functionality with timechart?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you want to see the latest requests for each day, you could do it this way
yoursearchhere host=hostA OR host=hostB
| eval date=strftime(_time,"%x")
| stats latest(requests) as latestRequests by host date
| chart sum(latestRequests) as Total by date
The problem is that stats is a summarizing command and timechart needs the time of the event... so you have to figure out a way to do both. This is the best I've thought of so far.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for all your help. That worked like a charm.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you so much! Worked perfectly. I knew it had something to do with multiple instances of stats.
Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!
Logs to Metrics
Developer Spotlight with Paul Stout
