Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to get specific value from last event splunk

mishaaaaaaaaaa
Explorer
‎03-06-2019 01:41 AM

Hi splunk comunity!

How can i get specific value from latest event and earliest event during the period i set?

I need to find latest event and then get sum of specific field value from this latest event snd to do the same for earliest event then i want to calculate difference between them.

I cant do something like this becouse of feature of my event, i have accumulating value

| stats sum(value) as sumValue by _time
| stats earliest(sumValue) as earliestVal latest(sumValue) as latestVal
| eval dif=latestVal-earliestVal

in this case i got 1+2+3+4... it wil be sequence

And i cant do like this, because i have tag in my value and i will get max tagValue and min tagValue

| stats max(value) as maxVal min(value) as minVal
| eval dif = maxVal-minVal

my event:

 value: { [-] 
         name: nameValue
         tags: [ [-] 
           { [-] 
             sampleCount: 11590 
             tagValues: [ [-] 
               { [-] 
                 tagKey: tagKey1 
                 tagName: tagName1
                 tagValue: tagValue1 
               } 
             ] 
             value: 0 
           } 
           { [-] 
             sampleCount: 11614 
             tagValues: [ [-] 
               { [-] 
                 tagKey: tagKey2 
                 tagName: tagName2
                 tagValue: tagValue2 
               } 
             ] 
             value: 0 
           } 
           { [-] 
             sampleCount: 10872 
             tagValues: [ [-] 
               { [-] 
                 tagKey: tagKey3 
                 tagName: tagName3
                 tagValue: tagValue3 
               } 
             ] 
             value: 0 
           } 
         ] 
       }
Tags (1)
0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

ATTENTION!! We’re MOVING (not really)

Hey, all! In an effort to keep this Slack workspace secure and also to make our new members' experience easy, ...

Splunk Admins: Build a Smarter Stack with These Must-See .conf25 Sessions

  Whether you're running a complex Splunk deployment or just getting your bearings as a new admin, .conf25 ...

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...
Top