Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Using stats and table command

Vig95
Engager
‎07-22-2023 01:10 PM

Hi,

I am new to splunk, could you please help me with below SPL, I am trying to use stats and table command

We have 4 entries for same incident, I need to pick earliest time.

Index="monitoring" sourcetype="tool" incident_id=INC* | stats earliest(_time) as early | table "mc_host" "incident_id" "early" | convert ctime(early)

 

I am getting error if execute.

 

 

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-23-2023 01:15 AM

Hi @Vig95,

the solution is the one hinted by @isoutamo because after a stats command you have only the fields used in the stats command itself, so you have to declare (using e.g. values or earliest) all the fields you need in the following table, that couldn't be necessary if the fields from the stats command are already in the order you want:

index="monitoring" sourcetype="tool" incident_id=INC* 
| stats earliest(_time) as early BY mc_host incident_id
| convert ctime(early)

Ciao.

giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-23-2023 01:15 AM

Hi @Vig95,

the solution is the one hinted by @isoutamo because after a stats command you have only the fields used in the stats command itself, so you have to declare (using e.g. values or earliest) all the fields you need in the following table, that couldn't be necessary if the fields from the stats command are already in the order you want:

index="monitoring" sourcetype="tool" incident_id=INC* 
| stats earliest(_time) as early BY mc_host incident_id
| convert ctime(early)

Ciao.

giuseppe

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-26-2023 07:08 AM

Hi @Vig95 ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎07-22-2023 01:22 PM

Hi

you probably want to see it by inc? If so you could try

Index="monitoring" sourcetype="tool" incident_id=INC* 
| stats min(_time) as _time values(mc_host) as mc_host by incident_id
| table "mc_host" "incident_id" _time

r. Ismo 

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...

Index This | What is feather-light but cannot be held long?

May 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

.conf26 Registration is Live: Secure Your Early Bird Pass Now

  Lock in Your Spot: Registration Open for .conf26 in Denver Hello Splunkers, I have exciting news! Your ...