Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to build a query by last date

Maik11
Observer
‎02-23-2022 01:13 AM

Hello All, 

I need some help please. 

 

I would like to query for the last upddate.  However, the field belegtyp and pdid can also change.  

I need the last upddate for them all ( last upddate when belegtyp for pdid change). 

Thats my query: 

| eval crdate=strptime(crdate,"%Y-%m-%d")
| eval crdate=strftime(crdate,"%Y-%m-%d")
| eval upddate=strptime(upddate,"%Y-%m-%d")
| eval upddate=strftime(upddate,"%Y-%m-%d")
| search belegnummer=177287
| stats last(upddate) by upddate crdate belegnummer belegtyp pdid

 

It hasn´t work so far with

| sort -upddate  

| stats last (upddate) by ...

| stats first (upddate) by...

 

I don't know why it doesn't work. 

Hope to get some help on this, thanks in advance. 

Labels (1)
Labels
0 Karma
Reply

Maik11
Observer
‎02-23-2022 04:02 AM

Hi Guiseppe,

I understand your suggestions. But it only counts me which pdid and belegnummer has more than one belegtyp. 

 

Maik11_0-1645613420933.png

In this example I get this back.

But I need back, from ZX5165 = belegtyp 6 (second) and from ZX5166, ZX5167 and ZX5168 = belegtyp=7. 

It is the last change of the update in my query. 

 

Thanks! 

0 Karma
Reply

Maik11
Observer
‎02-23-2022 01:44 AM

Hi,

thanks for your help. But your suggestions  unfortunately don't work too. 

 

I have several updates where the belegtyp of one or more pdid can change. 

In my example it is just one belegnummer. Usually these are thousands belegnummer. 

I need the last update on which the belegtyp from pdid of the belegnummer changes. 

Because the belegtyp can change between 1 to 10 . 

 

Thanks!

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-23-2022 01:48 AM

Hi @Maik11,

you have to enlarge your stats command:

index=your_index belegnummer=177287
| eval crdate_epoch=strptime(crdate,"%Y-%m-%d")
| eval upddate_epoch=strptime(upddate,"%Y-%m-%d")
| stats dc(belegtyp) AS dc_belegtyp last(upddate) by pid belegnummer
| where dc_belegtyp>1

Anyway, try to apply my approach to your Use Case, it's the best way to learn!

Ciao.

Giuseppe

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-23-2022 01:30 AM

Does this get you what you want?

| stats latest(belegtyp) as belegtyp latest(pdid) as pdid by belegnummer
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-23-2022 01:24 AM

Hi @Maik11,

let me understand:

you extracted two fields (crdate and upddate) that are the creation and update dates of an object called "belegnummer".

You want to know if there are more than one "update" for each belegnummer, is it correct?

if this is your need, you have to run something like this:

index=your_index belegnummer=177287
| eval crdate_epoch=strptime(crdate,"%Y-%m-%d")
| eval upddate_epoch=strptime(upddate,"%Y-%m-%d")
| stats dc(update_epoch) AS dc_update_epoch last(upddate) by belegnummer
| where dc_update_epoch>1

See my approach and adapt it to you need.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...