Solved: How to get multiple values of earliest and latest ...

CrossWordKnower · ‎01-23-2025

Hi Splunkers,
This is my first post as I am new to using splunk, but my issue arising when I am trying to pull specific values from a time range within one search. To do this I am using appendcols to add another search, and designate a new value for earliest and latest, then use the "stats latest (field) as 'name' by field, field" command to pull these values out. Here is an example query:

index="index" <search> earliest=-4h@h latest=@h
|stats latest(FieldA) as DataNew earliest(FieldA) as DataOld by Field1, Field2, Field 3
|appendcols
[search index="index" <search> earliest=-3h@h latest=-1@h
|stats latest(FieldA) as DataMidOld earliest(FieldA) as DataMidNew by Field1, Field2, Field3]

|table DataNew,DataMidNew, DataMidOld, DataOld, Field1, Field2, Field3

In my mind, I see no error with this search, but the values for DataMidOld and DataMidNew do not align with the actual data, and are seemingly random. Any help is appreciated!

richgalloway · ‎01-23-2025

The appendcols command rarely is the right answer to an SPL problem. You probably want append.

index="index" <search> earliest=-4h@h latest=@h
|stats latest(FieldA) as DataNew earliest(FieldA) as DataOld by Field1, Field2, Field 3
|append
[search index="index" <search> earliest=-3h@h latest=-1@h
  |stats latest(FieldA) as DataMidOld earliest(FieldA) as DataMidNew by Field1, Field2, Field3]
``` Re-group the results ```
| stats values(*) as * by Field1, Field2, Field3
|table DataNew,DataMidNew, DataMidOld, DataOld, Field1, Field2, Field3

The biggest problem with appendcols is that it requires the results be in the exact same sequence as those from the main search - otherwise, gibberish can result.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

CrossWordKnower · ‎01-23-2025

I think this fixed my issue! thanks! just out of curiosity, what does adding the values(*) do, not sure I have seen that before

isoutamo · ‎01-23-2025

It replace all existing fields so you don’t need to write everything here.
You could also add e.g. values(foo*) as bar* and then it takes only those fields which start with foo and put those as a result fields named bar*. This is quite useful and commonly used feature in SPL.

richgalloway · ‎01-23-2025

The appendcols command rarely is the right answer to an SPL problem. You probably want append.

index="index" <search> earliest=-4h@h latest=@h
|stats latest(FieldA) as DataNew earliest(FieldA) as DataOld by Field1, Field2, Field 3
|append
[search index="index" <search> earliest=-3h@h latest=-1@h
  |stats latest(FieldA) as DataMidOld earliest(FieldA) as DataMidNew by Field1, Field2, Field3]
``` Re-group the results ```
| stats values(*) as * by Field1, Field2, Field3
|table DataNew,DataMidNew, DataMidOld, DataOld, Field1, Field2, Field3

The biggest problem with appendcols is that it requires the results be in the exact same sequence as those from the main search - otherwise, gibberish can result.

---
If this reply helps you, Karma would be appreciated.

How to get multiple values of earliest and latest in one search?

stats

subsearch

table

CX Day is Coming!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Are you a member of the Splunk Community?