Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get boolean fields from a stats max count (event number)

Seawheels51
Path Finder
‎01-06-2025 10:52 AM

How do I return field values from a specific max(eventnumber)?

This was helpful but did not solve my issue Solved: How to get stats max count of a field by another f... - Splunk Community

We are ingesting logs from test devices. Each log has an event number, which I can search on to find the most recent event. When the devices disconnect from our cloud instance, they cache events which are transmitted at a lower priority (newest to oldest) than real time events. For example: event #100 connected to cloud, event 101-103 disconnected from cloud and cached, events, #104 re-connected to cloud (latest status) received, then event 103 is transmitted, then 102, so using latest/earliest or first/last does not return the most recent status

The logs consist of an event number and boolean (true/false) fields.

Searching for max(event number) and values(boolean field value) results in both true/false for any time picker period that has multiple events, for example:

| stats max(triggeredEventNumber) values(isCheckIn) values(isAntiSurveillanceViolation) BY userName

userName                 max(triggeredEventNumber)      values(isCheckIn)      latest(isAntiSurveillanceViolation)
NS2_GS22_MW    92841                                                   false true                       FALSE

In the example the actual value of isCheckIn was true.

Here is a complete example event:

{
"version": 1,
"logType": "deviceStateEvent",
"deviceSerialNumber": "4234220083",
"userName": "NS2_GS22_MW",
"cloudTimestampUTC": "2025-01-06T18:17:00Z",
"deviceTimestampUTC": "2025-01-06T18:16:46Z",
"triggeredEventNumber": 92841,
"batteryPercent": 87,
"isCheckIn": true,
"isAntiSurveillanceViolation": false,
"isLowBatteryViolation": false,
"isCellularViolation": false,
"isDseDelayed": false,
"isPhonePresent": true,
"isCameraExposed": false,
"isShutterOpen": false,
"isMicExposed": false,
"isCharging": false,
"isPowerOff": false,
"isHibernation": false,
"isPhoneInfoStale": false,
"bleMacAddress": "5c:2e:c6:bc:e4:cf",
"cellIpv4Address": "0.0.0.0",
"cellIpv6Address": "::"
}

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-06-2025 03:34 PM 
| eventstats max(triggeredEventNumber) as userLastEvent BY userName
| where triggeredEventNumber = userLastEvent

View solution in original post

Reply
Solved! Jump to solution

Seawheels51
Path Finder
‎01-06-2025 01:49 PM

@richgalloway the problem is the cached events are delivered more recently (lower priority transmission) than the actual current state event which is why the search for max(triggeredEventNumber) instead of first/last or earliest/latest since I cannot forecast how many cached events may be delivered after current state and before the next current state event is created (as a result of a state change typically battery percent change)

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-06-2025 03:34 PM 
| eventstats max(triggeredEventNumber) as userLastEvent BY userName
| where triggeredEventNumber = userLastEvent
Reply
Solved! Jump to solution

Seawheels51
Path Finder
‎01-07-2025 09:10 AM

Thank you @ITWhisperer 

In my laymans terms use eventstats search to find max(triggeredEventNumber) BY userName. Next use where to select only that max(triggeredEventNumber) for results.

Then I used stats values(field) to extract the values for the fields I am interested in.

Reply
Solved! Jump to solution

Seawheels51
Path Finder
‎01-06-2025 01:41 PM

Thank you for the reply @richgalloway 
The results I want to see are the fields for that triggered event number only.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-06-2025 12:46 PM

That is the way the values() function works.  It will list, in lexicographical order, all of the unique values for the given field.  What would you rather see?

---
If this reply helps you, Karma would be appreciated.
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...