Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to search to get value from the last event?

Sanjana
Explorer
‎09-05-2022 04:56 AM

Hello folks,

I have Logger lines as below:

job MONITOR-DESYNC-3-20I-ERNC: { "chain":"PR1", "nbProperties":1345, "propertyStartCount":1, "nbPropertyPerExecution":5, "propertyEndCount":6, "nbPropertyForCurrentExecution":5 }

job MONITOR-DESYNC-3-20I-ERNC: { "chain":"PR2", "nbProperties":1345, "propertyStartCount":6, "nbPropertyPerExecution":5, "propertyEndCount":11, "nbPropertyForCurrentExecution":5 }

------These lines continue till propertyEndCount = nbProperties but sometimes it does not get equal  and stops randomly like below.
This job stopped at "propertyEndCount":1076 only

job MONITOR-DESYNC-3-6AQ-Q7Z: { "chain":"PR1", "nbProperties":1345, "propertyStartCount":1071, "nbPropertyPerExecution":5, "propertyEndCount":1076, "nbPropertyForCurrentExecution":5 }

SPlunk query to find how many hotels got covered  for each chain . In this case
Output Expected is:

chain total-property  covered-property
     PR1         1345                      1076

     PR2          1345                   1000

I am quite new to splunk query. I think If somehow  I could fetch the value of propertyEndCount from the last event then it should work.

If anyone can provide some solution to get as expected result mentioned above.

Thanks in Advance.

 

Labels (4)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-05-2022 05:05 AM

Hi @Sanjana,

you could use stats and try something like this:

<your_search>
| stats max(propertyStartCount) AS propertyStartCount max(propertyEndCount) AS propertyEndCount BY chain nbProperties
| where propertyEndCount>propertyStartCount

in this way you group transactions for chain and nbProperties and you have have only the transactions where start and end count are different.

Ciao.

Giuseppe

0 Karma
Reply

Sanjana
Explorer
‎09-05-2022 06:58 AM

Hello @gcusello 

 

Thanks for the response.

But I am not able to fetch data as expected. No statistics is coming

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-05-2022 07:43 AM

Hi @Sanjana,

sorry but I don't understand: why aren't you able to perform a stats command?

The problem is that you have many events and you need to take only the last value.

Ciao.

Giuseppe

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...