Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to get specific value from last event splunk

mishaaaaaaaaaa
Explorer
‎03-06-2019 01:41 AM

Hi splunk comunity!

How can i get specific value from latest event and earliest event during the period i set?

I need to find latest event and then get sum of specific field value from this latest event snd to do the same for earliest event then i want to calculate difference between them.

I cant do something like this becouse of feature of my event, i have accumulating value

| stats sum(value) as sumValue by _time
| stats earliest(sumValue) as earliestVal latest(sumValue) as latestVal
| eval dif=latestVal-earliestVal

in this case i got 1+2+3+4... it wil be sequence

And i cant do like this, because i have tag in my value and i will get max tagValue and min tagValue

| stats max(value) as maxVal min(value) as minVal
| eval dif = maxVal-minVal

my event:

 value: { [-] 
         name: nameValue
         tags: [ [-] 
           { [-] 
             sampleCount: 11590 
             tagValues: [ [-] 
               { [-] 
                 tagKey: tagKey1 
                 tagName: tagName1
                 tagValue: tagValue1 
               } 
             ] 
             value: 0 
           } 
           { [-] 
             sampleCount: 11614 
             tagValues: [ [-] 
               { [-] 
                 tagKey: tagKey2 
                 tagName: tagName2
                 tagValue: tagValue2 
               } 
             ] 
             value: 0 
           } 
           { [-] 
             sampleCount: 10872 
             tagValues: [ [-] 
               { [-] 
                 tagKey: tagKey3 
                 tagName: tagName3
                 tagValue: tagValue3 
               } 
             ] 
             value: 0 
           } 
         ] 
       }
Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf24, and Community Connections

Thank you to everyone in the Splunk Community who joined us for .conf24 – starting with Splunk University and ...

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...