Is there a way to dynamically set latest in tstats...

fredclown · ‎05-25-2022

I've done this in the past and it works to get data for today up to the latest 5 minute span, but I'm hoping to speed it up with tstats.

index="foo" sourcetype="foo" earliest=-0d@d latest=[|makeresults | eval snap=floor(now()/300)*300 | return $snap]
| stats sum(b) as bytes ....

I tried this but it doesn't work.

| tstats sum(stuff.b)as bytes from datamodel="mymodel.stuff" where index="foo" sourcetype="foo" earliest=-0d@d latest=[|makeresults | eval snap=floor(now()/300)*300 | return $snap]
| ....

I could do this potentially but it doesn't seem to be much better and quite frankly is a bit more confusing.

| tstats sum(stuff.b)as bytes from datamodel="mymodel.stuff" where index="foo" sourcetype="foo" earliest=-0d@d by _time span=1min
| where _time < floor(now()/300)*300
| rename stuff.* as *
| stats sum(bytes) as bytes ....

If there is anyway to do it in the tstats command that would be great ... thoughts?

somesoni2 · ‎05-25-2022

Try like this

| tstats sum(stuff.b)as bytes from datamodel="mymodel.stuff" where index="foo" AND sourcetype="foo" AND earliest=-0d@d AND [|makeresults | eval latest=floor(now()/300)*300 | table latest] 
| ....

fredclown · ‎05-31-2022

It's odd. When I run it like that I basically get double the counts, than if I just hard code the values.

VatsalJagani · ‎05-31-2022

@fredclown - Please check the job inspector to see are you getting the proper latest value as you expect or not.

Is there a way to dynamically set latest in tstats?

stats

subsearch

tstats

CX Day is Coming!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Are you a member of the Splunk Community?