Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to get specific value from last event splunk

mishaaaaaaaaaa
Explorer
‎03-06-2019 01:41 AM

Hi splunk comunity!

How can i get specific value from latest event and earliest event during the period i set?

I need to find latest event and then get sum of specific field value from this latest event snd to do the same for earliest event then i want to calculate difference between them.

I cant do something like this becouse of feature of my event, i have accumulating value

| stats sum(value) as sumValue by _time
| stats earliest(sumValue) as earliestVal latest(sumValue) as latestVal
| eval dif=latestVal-earliestVal

in this case i got 1+2+3+4... it wil be sequence

And i cant do like this, because i have tag in my value and i will get max tagValue and min tagValue

| stats max(value) as maxVal min(value) as minVal
| eval dif = maxVal-minVal

my event:

 value: { [-] 
         name: nameValue
         tags: [ [-] 
           { [-] 
             sampleCount: 11590 
             tagValues: [ [-] 
               { [-] 
                 tagKey: tagKey1 
                 tagName: tagName1
                 tagValue: tagValue1 
               } 
             ] 
             value: 0 
           } 
           { [-] 
             sampleCount: 11614 
             tagValues: [ [-] 
               { [-] 
                 tagKey: tagKey2 
                 tagName: tagName2
                 tagValue: tagValue2 
               } 
             ] 
             value: 0 
           } 
           { [-] 
             sampleCount: 10872 
             tagValues: [ [-] 
               { [-] 
                 tagKey: tagKey3 
                 tagName: tagName3
                 tagValue: tagValue3 
               } 
             ] 
             value: 0 
           } 
         ] 
       }
Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...