Solved: Need to extract latest value from multiple matches...

thiru25 · ‎05-01-2013

Hello, The following query results in multiple results when the where condition(where msgdiff=dailypeak) is met but I want just latest result, please help?

index="ContentGateway" sourcetype=Messagestats  host="cg1-e-fid-bos-l1" 
| streamstats current=t window=2 global=f allnum=t range(Messages) as msgdiff by host source
| eval msgdiff=msgdiff/5
| rex field=source "/home/activ/ContentGateway/log/updates/MessageStatistics.(?<feed>\w*(?!\d)\w)"
| bin _time span=5s
| stats sum(msgdiff) as msgdiff by _time feed
| eventstats max(msgdiff) as dailypeak by feed 
| where msgdiff=dailypeak
| table  feed dailypeak _time

thanks,
Thiru.

jonuwz · ‎05-02-2013

replace

| table  feed dailypeak _time

with

| stats max(_time) as _time by feed dailypeak

View solution in original post

jonuwz · ‎05-02-2013

replace

| table  feed dailypeak _time

with

| stats max(_time) as _time by feed dailypeak

Need to extract latest value from multiple matches?

Fastest way to demo Observability

September Community Champions: A Shoutout to Our Contributors!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

Are you a member of the Splunk Community?

Need to extract latest value from multiple matches?

Fastest way to demo Observability

September Community Champions: A Shoutout to Our Contributors!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps