Splunk Search

How to maintain latest value for multiple values of a field

timbilt
Loves-to-Learn Lots

Given the following events

HOSTVALUE
Host11
Host24
Host32
Host27
Host35
Host18

 

How do I maintain the latest value for each host to give result like below?

HOSTVALUELATEST
Host11Host1-1
Host24Host1-1,Host2-4
Host32Host1-1, Host2-4, Host3-2
Host27Host1-1, Host2-7, Host3-2
Host35Host1-1, Host2-7, Host3-5
Host18Host1-8, Host2-7, Host3-5
Labels (3)
0 Karma

to4kawa
Ultra Champion
|makeresults
| eval _raw="HOST	VALUE
Host1	1
Host2	4
Host3	2
Host2	7
Host3	5
Host1	8"
| multikv forceheader=1
| table HOST VALUE
| rename COMMENT as "this is your sample. from here, the logic"
| reverse
| streamstats count
| reverse
| eval tmp=count."_".HOST."_".VALUE
| streamstats values(tmp) as tmp
| streamstats count as session
| mvexpand tmp
| rex field=tmp "\d_(?<HOST>\w+)_(?<VALUE>\d)"
| streamstats first(VALUE) as VALUE by session HOST
| eval tmp2=HOST."-".VALUE
| streamstats first(HOST) as HOST first(VALUE) as VALUE values(tmp2) as LATEST by session 
| stats values(LATEST) as LATEST by session HOST VALUE delim=","
| fields - session
| nomv LATEST
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...