Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to filter a result with two timestamp ?

mah
Builder
‎10-01-2020 09:04 AM

Hi,

I have a search which I want to optimise by replace the join command : 

index="AAA" sourcetype=BBB
| stats count(OK) as OK as TOTAL by Date ID
| bin Date span=1d
| stats sum(OK)  by Date ID
| sort -Date

it returns results like this : 
DateIDOK
2020-09-30XXX123
2020-09-30YYY26
2020-09-29ZZZ763
2020-09-29XXX453

 

I want to retrieve only the last Date of each day but the only way to do that is by catching the last ID which is based on another timestamp. So I have a second request which retrieve the last ID : 

index="AAA" sourcetype=BBB

| stats max(Timestamp) as Timestamp by ID
| sort  Timestamp desc
| head 1

The result is : 

ID
XXX

I use a join command but I would like to know ik there is another way to create the search without the join.

Do you have a better solution ?

Thanks 

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-02-2020 01:21 AM 
index="AAA" sourcetype=BBB
| bin Date span=1d
| stats sum(OK) by Date ID
| eventstats latest(ID) as latestID
| where ID=latestID
| fields - latestID
| sort -Date

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-01-2020 09:25 AM 
index="AAA" sourcetype=BBB
| bin Date span=1d
| stats sum(OK) by Date ID
| eventstats latest(Date) as latestDate by ID
| where Date=latestDate
| fields - latestDate
| sort -Date
0 Karma
Reply
Solved! Jump to solution

mah
Builder
‎10-02-2020 01:08 AM

Hi, it does not work because :

- in the first query the timestamp is a field call "Date"

- in the second query the timestamp to get the last ID is "Timestamp" : the query must return just one ID 

Your search still returns events with not always the last ID : 

DateIDOK
2020-09-01XXX (latest)344
2020-09-30AAA867
2020-09-30XXX (latest)3473
2020-09-30BBB5387
2020-09-29BBB

772

2020-09-29XXX (latest)82

 

But what I want is a table like that :

DateIDOK
2020-09-01XXX (latest)344
2020-09-30XXX (latest)3473
2020-09-29XXX (latest)82
0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-02-2020 01:21 AM 
index="AAA" sourcetype=BBB
| bin Date span=1d
| stats sum(OK) by Date ID
| eventstats latest(ID) as latestID
| where ID=latestID
| fields - latestID
| sort -Date
Reply
Solved! Jump to solution

mah
Builder
‎10-02-2020 01:30 AM

Great ! It is exactly my need !

Thank you ! 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...