Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract date of the latest event after group by?

sagar1992
Explorer
‎03-14-2019 08:23 AM

Hi Team,

I am facing issue after using group by clause. (Need date of the grouped event in DD-MM-YYYY )

The search that I am using is below:

index="test_mulesoft"  sourcetype="SFTP-Highradius" 61c1bf00-45e7-11e9-bb4e-12376871b014 | rex field=_raw "corelationid.*:\W+(?.*)\"" | stats count as result values(numberOfRequests) as request_id by numberOfRequests, | eval result = if (result==2,"SUCCESS","ERROR REPORTED")  | table request_id,result,DateTime

Basically, I am grouping with correlation id, once grouped i need timestamp of any event. (Screenshot below)

Tags (2)
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

damann
Communicator
‎03-14-2019 08:36 AM

after your |stats count ... you will lose your field DateTime.
You can use eventstats instead of stats which will hold all your fields.

To make things clear: does your search results all have the same value for DateTime? Then you could add DateTime to your by clause in your stats command

index="test_mulesoft" sourcetype="SFTP-Highradius" 61c1bf00-45e7-11e9-bb4e-12376871b014 | rex field=_raw "corelationid.:\W+(?.)\"" | stats count as result values(numberOfRequests) as request_id by numberOfRequests DateTime | eval result = if (result==2,"SUCCESS","ERROR REPORTED") | table request_id,result,DateTime

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

damann
Communicator
‎03-14-2019 08:36 AM

after your |stats count ... you will lose your field DateTime.
You can use eventstats instead of stats which will hold all your fields.

To make things clear: does your search results all have the same value for DateTime? Then you could add DateTime to your by clause in your stats command

index="test_mulesoft" sourcetype="SFTP-Highradius" 61c1bf00-45e7-11e9-bb4e-12376871b014 | rex field=_raw "corelationid.:\W+(?.)\"" | stats count as result values(numberOfRequests) as request_id by numberOfRequests DateTime | eval result = if (result==2,"SUCCESS","ERROR REPORTED") | table request_id,result,DateTime
0 Karma
Reply
Solved! Jump to solution

sagar1992
Explorer
‎03-14-2019 09:51 AM

Thanks for the reply @damann, however after using eventstats command, I am no longer able to get a single entry. however, able to retrieve date.

0 Karma
Reply
Solved! Jump to solution

sagar1992
Explorer
‎03-14-2019 09:56 AM

@damann it worked.!! Thank You so much!! I used dedup command to get rid of duplicate entry.

Still in the learning phase. Thanks once again.

index="test_mulesoft" sourcetype="SFTP-Highradius" 61c1bf00-45e7-11e9-bb4e-12376871b014 | rex field=_raw "corelationid.:\W+(?.)\"" | eventstats latest(numberOfRequests) as request_id by numberOfRequests | dedup request_id | table _time,request_id

0 Karma
Reply
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...