Re: How to extract three latest values of a field...

pomazanelvira · ‎03-23-2020

Hi! I have different events and for every event i have a list of reasons. I want to display only three of the reasons for each event, which are latest by time. I use this code:
| stats values(Reason) as Reason, values(_time) AS Time by event
| sort Reason by Time
| eval Reason=mvindex(Reason,0,2)
| table event, Time, Reason
This doesn't work. What should I do to make it work?

wmyersas · ‎03-23-2020

What I've done when I want the X^th-many/most recent items is the following:

<search>
| eval field_time=_time+"|"+field
| stats values(field_time) as field_time <rest of stats here>
| eval recent_1st=mvindex(field_time,-1), recent_2nd=mvindex(field_time,-2) [, etc etc]
| rex field=recent_1st "(?<when_1st>\d+)\|(?<field_1st>.+)"
| rex field=recent_2nd "(?<when_2nd>\d+)\|(?<field_2nd>.+)"
| ...more rex lines as needed
| table field_1st when_1st field_2nd when_2nd <other fields as desired>
| eval when_1st=strftime(when_1st,"%c"), when_2nd=strftime(when_2nd,"%c) [,etc etc]

Feel free to use different strftime formatting as desired

You have to combine the time into the field so that it sorts the way you want with values()

richgalloway · ‎03-23-2020

What results do you get?

---
If this reply helps you, Karma would be appreciated.

pomazanelvira · ‎03-23-2020

I get a table, but Reasons are not sorted by time. So, i don't get the latest reasons

How to extract three latest values of a field by field?

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...