Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to get specific value from last event splunk

mishaaaaaaaaaa
Explorer
‎03-06-2019 01:41 AM

Hi splunk comunity!

How can i get specific value from latest event and earliest event during the period i set?

I need to find latest event and then get sum of specific field value from this latest event snd to do the same for earliest event then i want to calculate difference between them.

I cant do something like this becouse of feature of my event, i have accumulating value

| stats sum(value) as sumValue by _time
| stats earliest(sumValue) as earliestVal latest(sumValue) as latestVal
| eval dif=latestVal-earliestVal

in this case i got 1+2+3+4... it wil be sequence

And i cant do like this, because i have tag in my value and i will get max tagValue and min tagValue

| stats max(value) as maxVal min(value) as minVal
| eval dif = maxVal-minVal

my event:

 value: { [-] 
         name: nameValue
         tags: [ [-] 
           { [-] 
             sampleCount: 11590 
             tagValues: [ [-] 
               { [-] 
                 tagKey: tagKey1 
                 tagName: tagName1
                 tagValue: tagValue1 
               } 
             ] 
             value: 0 
           } 
           { [-] 
             sampleCount: 11614 
             tagValues: [ [-] 
               { [-] 
                 tagKey: tagKey2 
                 tagName: tagName2
                 tagValue: tagValue2 
               } 
             ] 
             value: 0 
           } 
           { [-] 
             sampleCount: 10872 
             tagValues: [ [-] 
               { [-] 
                 tagKey: tagKey3 
                 tagName: tagName3
                 tagValue: tagValue3 
               } 
             ] 
             value: 0 
           } 
         ] 
       }
Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...