Question on stats command

Deepz2612 · ‎01-02-2021

Hi,

I want to find the duration of time for only one sourcetype where as the other values for both the sourcetype..

stats range(_time),values(field_a) by sourcetype,field_b |search sourcetype=abc

The above is not helping,coz field_a value is not present in sourcetype abc,so am recieving null value .

Suggestions please

gcusello · ‎01-02-2021

Hi @Deepz2612.,

you have to modify your stats command:

| stats earliest(_time) AS earliest latest(_time) AS latest values(field_a) by sourcetype field_b 
| search sourcetype=abc

In this way you have the borders of your time range.

ciao.

Giuseppe

Deepz2612 · ‎01-04-2021

@gcusello

What you have suggested is same as what i have quoted as an example.

I would like to find the range(_time) (i.e.,duration) for only one sourcetype and other details both the sourcetypes

gcusello · ‎01-04-2021

Hi @Deepz2612,

In this case, you could try to run something like this:

your_search sourcetype=sourcetype_a
| stats earlist(_time) AS earliest latest(_time) AS latest values(field_a) AS field_a BY sourcetype
| append [ search 
     your_search (sourcetype=sourcetype_a OR sourcetype=sourcetype_b)
     | stats values(field_a) AS field_a BY sourcetype
     ]
| stats values(earliest) AS earliest values(latest) AS latest values(field_a) AS field_a BY sourcetype

in this way you have, from the first search, earliest and latest and the other fields for sourcetype_a, and then, from the second search, you have the details for both the sorcetypes.

Ciao.

Giuseppe

Question on stats command

stats

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio