Is there a way to dynamically set latest in tstats...

fredclown · ‎05-25-2022

I've done this in the past and it works to get data for today up to the latest 5 minute span, but I'm hoping to speed it up with tstats.

index="foo" sourcetype="foo" earliest=-0d@d latest=[|makeresults | eval snap=floor(now()/300)*300 | return $snap]
| stats sum(b) as bytes ....

I tried this but it doesn't work.

| tstats sum(stuff.b)as bytes from datamodel="mymodel.stuff" where index="foo" sourcetype="foo" earliest=-0d@d latest=[|makeresults | eval snap=floor(now()/300)*300 | return $snap]
| ....

I could do this potentially but it doesn't seem to be much better and quite frankly is a bit more confusing.

| tstats sum(stuff.b)as bytes from datamodel="mymodel.stuff" where index="foo" sourcetype="foo" earliest=-0d@d by _time span=1min
| where _time < floor(now()/300)*300
| rename stuff.* as *
| stats sum(bytes) as bytes ....

If there is anyway to do it in the tstats command that would be great ... thoughts?

somesoni2 · ‎05-25-2022

Try like this

| tstats sum(stuff.b)as bytes from datamodel="mymodel.stuff" where index="foo" AND sourcetype="foo" AND earliest=-0d@d AND [|makeresults | eval latest=floor(now()/300)*300 | table latest] 
| ....

fredclown · ‎05-31-2022

It's odd. When I run it like that I basically get double the counts, than if I just hard code the values.

VatsalJagani · ‎05-31-2022

@fredclown - Please check the job inspector to see are you getting the proper latest value as you expect or not.

Is there a way to dynamically set latest in tstats?

stats

subsearch

tstats

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Join the Conversation