Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use streamstats to display the last current result?

desslerlee
Explorer
‎01-25-2018 02:05 AM

Hi all,

I am trying to use streamstats to display an event for a particular user, their current Payment Number for this month, and the subsequent Payment number for the next event. (Do note that I sort the date in reverse order).

 | sort  -TransactDate
  | streamstats current=f window=1 last("Payment Number") as NextPaymentNumber  
  | table  Username,  "TransactDate","Payment Number", NextPaymentNumber

I almost get the result I want as below:

 Username       TransactDate         Payment Number      NextPaymentNumber
    Adam                   2/2/2017               2                       3
    Adam                   2/1/2017               1                       2

However, what I need is something like below:

Username       TransactDate         Payment Number      NextPaymentNumber
     Adam                   2/3/2017               3                       3
    Adam                   2/2/2017               2                       3
    Adam                   2/1/2017               1                       2

Where the record on 2/3/2017 is the latest record, and the latest and maximum Payment number is 3.

Please advice how could I achieve that? Thanks!

Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
SplunkTrust
SplunkTrust
‎01-25-2018 04:53 PM

Try something like this

 your search that gets the payments (most recent first)
| reverse
| streamstats count as payno by Username
| reverse
| streamstats current=f window=1 last(payno) as nextpayno by Username
| eval nextpayno = coalesce(nextpayno, payno)

View solution in original post

Reply
Solved! Jump to solution
Solution

DalJeanis
SplunkTrust
SplunkTrust
‎01-25-2018 04:53 PM

Try something like this

 your search that gets the payments (most recent first)
| reverse
| streamstats count as payno by Username
| reverse
| streamstats current=f window=1 last(payno) as nextpayno by Username
| eval nextpayno = coalesce(nextpayno, payno)
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎01-25-2018 01:47 PM

Do you want to add an extra row for each user with latest date (max date +1) and latest (max + 1) PaymentNumber?

0 Karma
Reply
Solved! Jump to solution

mayurr98
Super Champion
‎01-25-2018 02:38 AM

i am getting the results with your query!

| makeresults 
|  eval raw="Adam2/2/201723 Adam2/1/201712 Adam2/3/201733" 
| makemv raw
| mvexpand raw 
| rex field=raw "(?<Username>[^\d]+)(?<TransactDate>\d\/\d\/\d{4})(?<PaymentNumber>\d)(?<NextPaymentNumber>\d)" 
|  fields- raw _time | sort- TransactDate | streamstats   last("PaymentNumber") as NextPaymentNumber 
| table Username, "TransactDate","PaymentNumber", NextPaymentNumber

can you try putting table command | table Username, "TransactDate","Payment Number", NextPaymentNumber before streamstats and see if you are getting a proper table with descending transactdate.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM & RUM | Upcoming Planned Maintenance

There will be planned maintenance of the streaming infrastructure for Splunk APM and Splunk RUM in the coming ...

Part 2: Diving Deeper With AIOps

Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence   Watch ...

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...