Following produces values for a and b in Splunk 8.2.0, but in 8.0.1, values of a is empty
Is there any changes in behaviour of stats latest in 8.2.0?
| makeresults
| eval a=1,b=2
| fields - _time
| stats latest(a) as a by b
Seems like a bug in 8.2 since there shouldn't be a value. You're using latest, but there's no timestamp to go off. Use 'values' instead.
| makeresults
| eval a=1,b=2
| fields - _time
| stats values(a) as a by b
This is not my original search. I created this search to highlight the issue. My original search needs latest instead of values to achieve the desired results.
But thanks for testing this out and letting me know.
How to file a bug report?