Question on stats command

Deepz2612 · ‎01-02-2021

Hi,

I want to find the duration of time for only one sourcetype where as the other values for both the sourcetype..

stats range(_time),values(field_a) by sourcetype,field_b |search sourcetype=abc

The above is not helping,coz field_a value is not present in sourcetype abc,so am recieving null value .

Suggestions please

gcusello · ‎01-02-2021

Hi @Deepz2612.,

you have to modify your stats command:

| stats earliest(_time) AS earliest latest(_time) AS latest values(field_a) by sourcetype field_b 
| search sourcetype=abc

In this way you have the borders of your time range.

ciao.

Giuseppe

Deepz2612 · ‎01-04-2021

@gcusello

What you have suggested is same as what i have quoted as an example.

I would like to find the range(_time) (i.e.,duration) for only one sourcetype and other details both the sourcetypes

gcusello · ‎01-04-2021

Hi @Deepz2612,

In this case, you could try to run something like this:

your_search sourcetype=sourcetype_a
| stats earlist(_time) AS earliest latest(_time) AS latest values(field_a) AS field_a BY sourcetype
| append [ search 
     your_search (sourcetype=sourcetype_a OR sourcetype=sourcetype_b)
     | stats values(field_a) AS field_a BY sourcetype
     ]
| stats values(earliest) AS earliest values(latest) AS latest values(field_a) AS field_a BY sourcetype

in this way you have, from the first search, earliest and latest and the other fields for sourcetype_a, and then, from the second search, you have the details for both the sorcetypes.

Ciao.

Giuseppe

Question on stats command

stats

Infographic provides the TL;DR for the 2023 Splunk Career Impact Report

Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...

Enterprise Security Content Update (ESCU) | New Releases