Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get multiple values of earliest and latest in one search?

CrossWordKnower
Explorer
‎01-23-2025 12:38 PM

Hi Splunkers, 
This is my first post as I am new to using splunk, but my issue arising when I am trying to pull specific values from a time range within one search. To do this I am using appendcols to add another search, and designate a new value for earliest and latest, then use the "stats latest (field) as 'name' by field, field" command to pull these values out. Here is an example query:

index="index" <search> earliest=-4h@h latest=@h
|stats latest(FieldA) as DataNew earliest(FieldA) as DataOld by Field1, Field2, Field 3
|appendcols
[search index="index" <search> earliest=-3h@h latest=-1@h
|stats latest(FieldA) as DataMidOld earliest(FieldA) as DataMidNew by Field1, Field2, Field3]

|table DataNew,DataMidNew, DataMidOld, DataOld, Field1, Field2, Field3

In my mind, I see no error with this search, but the values for DataMidOld and DataMidNew do not align with the actual data, and are seemingly random. Any help is appreciated!

Labels (3)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-23-2025 12:50 PM

The appendcols command rarely is the right answer to an SPL problem.  You probably want append.

index="index" <search> earliest=-4h@h latest=@h
|stats latest(FieldA) as DataNew earliest(FieldA) as DataOld by Field1, Field2, Field 3
|append
[search index="index" <search> earliest=-3h@h latest=-1@h
  |stats latest(FieldA) as DataMidOld earliest(FieldA) as DataMidNew by Field1, Field2, Field3]
``` Re-group the results ```
| stats values(*) as * by Field1, Field2, Field3
|table DataNew,DataMidNew, DataMidOld, DataOld, Field1, Field2, Field3

 The biggest problem with appendcols is that it requires the results be in the exact same sequence as those from the main search - otherwise, gibberish can result.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

CrossWordKnower
Explorer
‎01-23-2025 01:02 PM

I think this fixed my issue! thanks! just out of curiosity, what does adding the values(*) do, not sure I have seen that before

 

Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎01-23-2025 01:16 PM
It replace all existing fields so you don’t need to write everything here.
You could also add e.g. values(foo*) as bar* and then it takes only those fields which start with foo and put those as a result fields named bar*. This is quite useful and commonly used feature in SPL.
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-23-2025 12:50 PM

The appendcols command rarely is the right answer to an SPL problem.  You probably want append.

index="index" <search> earliest=-4h@h latest=@h
|stats latest(FieldA) as DataNew earliest(FieldA) as DataOld by Field1, Field2, Field 3
|append
[search index="index" <search> earliest=-3h@h latest=-1@h
  |stats latest(FieldA) as DataMidOld earliest(FieldA) as DataMidNew by Field1, Field2, Field3]
``` Re-group the results ```
| stats values(*) as * by Field1, Field2, Field3
|table DataNew,DataMidNew, DataMidOld, DataOld, Field1, Field2, Field3

 The biggest problem with appendcols is that it requires the results be in the exact same sequence as those from the main search - otherwise, gibberish can result.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

New This Month - Splunk Observability updates and improvements for faster ...

What’s New? This month, we’re delivering several enhancements across Splunk Observability Cloud for faster and ...

What's New in Splunk Cloud Platform 9.3.2411?

Hey Splunky People! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2411. This release ...

Buttercup Games: Further Dashboarding Techniques (Part 6)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...