Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to get specific value from last event splunk

mishaaaaaaaaaa
Explorer
‎03-06-2019 01:41 AM

Hi splunk comunity!

How can i get specific value from latest event and earliest event during the period i set?

I need to find latest event and then get sum of specific field value from this latest event snd to do the same for earliest event then i want to calculate difference between them.

I cant do something like this becouse of feature of my event, i have accumulating value

| stats sum(value) as sumValue by _time
| stats earliest(sumValue) as earliestVal latest(sumValue) as latestVal
| eval dif=latestVal-earliestVal

in this case i got 1+2+3+4... it wil be sequence

And i cant do like this, because i have tag in my value and i will get max tagValue and min tagValue

| stats max(value) as maxVal min(value) as minVal
| eval dif = maxVal-minVal

my event:

 value: { [-] 
         name: nameValue
         tags: [ [-] 
           { [-] 
             sampleCount: 11590 
             tagValues: [ [-] 
               { [-] 
                 tagKey: tagKey1 
                 tagName: tagName1
                 tagValue: tagValue1 
               } 
             ] 
             value: 0 
           } 
           { [-] 
             sampleCount: 11614 
             tagValues: [ [-] 
               { [-] 
                 tagKey: tagKey2 
                 tagName: tagName2
                 tagValue: tagValue2 
               } 
             ] 
             value: 0 
           } 
           { [-] 
             sampleCount: 10872 
             tagValues: [ [-] 
               { [-] 
                 tagKey: tagKey3 
                 tagName: tagName3
                 tagValue: tagValue3 
               } 
             ] 
             value: 0 
           } 
         ] 
       }
Tags (1)
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...