Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to search to get value from the last event?

Sanjana
Explorer
‎09-05-2022 04:56 AM

Hello folks,

I have Logger lines as below:

job MONITOR-DESYNC-3-20I-ERNC: { "chain":"PR1", "nbProperties":1345, "propertyStartCount":1, "nbPropertyPerExecution":5, "propertyEndCount":6, "nbPropertyForCurrentExecution":5 }

job MONITOR-DESYNC-3-20I-ERNC: { "chain":"PR2", "nbProperties":1345, "propertyStartCount":6, "nbPropertyPerExecution":5, "propertyEndCount":11, "nbPropertyForCurrentExecution":5 }

------These lines continue till propertyEndCount = nbProperties but sometimes it does not get equal  and stops randomly like below.
This job stopped at "propertyEndCount":1076 only

job MONITOR-DESYNC-3-6AQ-Q7Z: { "chain":"PR1", "nbProperties":1345, "propertyStartCount":1071, "nbPropertyPerExecution":5, "propertyEndCount":1076, "nbPropertyForCurrentExecution":5 }

SPlunk query to find how many hotels got covered  for each chain . In this case
Output Expected is:

chain total-property  covered-property
     PR1         1345                      1076

     PR2          1345                   1000

I am quite new to splunk query. I think If somehow  I could fetch the value of propertyEndCount from the last event then it should work.

If anyone can provide some solution to get as expected result mentioned above.

Thanks in Advance.

 

Labels (4)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-05-2022 05:05 AM

Hi @Sanjana,

you could use stats and try something like this:

<your_search>
| stats max(propertyStartCount) AS propertyStartCount max(propertyEndCount) AS propertyEndCount BY chain nbProperties
| where propertyEndCount>propertyStartCount

in this way you group transactions for chain and nbProperties and you have have only the transactions where start and end count are different.

Ciao.

Giuseppe

0 Karma
Reply

Sanjana
Explorer
‎09-05-2022 06:58 AM

Hello @gcusello 

 

Thanks for the response.

But I am not able to fetch data as expected. No statistics is coming

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-05-2022 07:43 AM

Hi @Sanjana,

sorry but I don't understand: why aren't you able to perform a stats command?

The problem is that you have many events and you need to take only the last value.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...