Solved: Re: Show the latest values from dataset difference...

awwong1 · ‎05-04-2015

I have the following two splunk data messages.

curtime=1430757796; ioVal1=A; ioVal3=B;
curtime=1430757729; ioVal1=1; ioVal2=2; ioVal3=3;

Given the following query:

index="foobar" | table io*

I get the following result:

Heading: || ioVal1 | | ioVal2 | | ioVal3 ||
Row 1:   | A        |          | B        |
Row 2:   | 1        | 2        | 3        |

Where Row 1 occurs after Row 2 does, is there a query that can combine these two rows such that the output is

Heading: || ioVal1 | | ioVal2 | | ioVal3 ||
Row 1:   | A        | 2        | B        |

This query should be applicable for:

an arbitrary number of rows and columns
Datasets where each consecutive row may contain different keys (For example, a Row 3 could contain ioVal4=frog;)

awwong1 · ‎05-05-2015

I ended up going with:

index="foobar" | stats latest(io*) as io*

awwong1 · ‎05-05-2015

I ended up going with:

index="foobar" | stats latest(io*) as io*

woodcock · ‎05-04-2015

index="foobar" | fields io* | stats last(*)

Show the latest values from dataset differences?