Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Question on stats command

Deepz2612
Explorer
‎01-02-2021 08:00 AM

Hi,

I want to find the duration of time for only one sourcetype where as the other values for both the sourcetype..

stats range(_time),values(field_a) by sourcetype,field_b |search sourcetype=abc

The above is not helping,coz field_a value is not present in sourcetype abc,so am recieving null value .

Suggestions please 

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-02-2021 01:20 PM

Hi @Deepz2612.,

you have to modify your stats command:

| stats earliest(_time) AS earliest latest(_time) AS latest values(field_a) by sourcetype field_b 
| search sourcetype=abc

In this way you have the borders of your time range.

ciao.

Giuseppe

0 Karma
Reply

Deepz2612
Explorer
‎01-04-2021 08:29 AM

@gcusello 

What you have suggested is same as what i have quoted as an example.

I would like to find the range(_time) (i.e.,duration) for only one sourcetype and other details both the sourcetypes

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-04-2021 08:50 AM

Hi @Deepz2612,

In this case, you could try to run something like this:

your_search sourcetype=sourcetype_a
| stats earlist(_time) AS earliest latest(_time) AS latest values(field_a) AS field_a BY sourcetype
| append [ search 
     your_search (sourcetype=sourcetype_a OR sourcetype=sourcetype_b)
     | stats values(field_a) AS field_a BY sourcetype
     ]
| stats values(earliest) AS earliest values(latest) AS latest values(field_a) AS field_a BY sourcetype

in this way you have, from the first search, earliest and latest and the other fields for sourcetype_a, and then, from the second search, you have the details for both the sorcetypes.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...