Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why does "eventstats last()" fail for one column w...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why does "eventstats last()" fail for one column when I add mvlist=t after the transaction command?
szabados
Communicator
01-03-2017
07:19 AM
In my search, I'm using a transaction. After that, I create a table from the results, then I want to apply an eventstats last() function.
In my table, I have two columns, let's say colA, and colB.
If I'm running the transaction without any further arguments, the last() function works for both columns, like this:
| transaction keyfield
| table colA, colB, keyfield
| eventstats last(colA) as last_colA, last(colB) as last_colB by keyfield
However, for another reason, I need to run the transaction with mvlist=t.
When I do this, the eventstats function fails, but only for one column.
In this case, fails for colA, but works fine with colB.
I don't get what is the difference, since I'm having the same type of values in both columns.
If it works for one column, why does it fail for the other one?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
snoobzilla
Builder
01-05-2017
04:36 AM
I am guessing that the issue here is something to do with multivalue fields.
A couple of options come to mind, do eventstats first...
| eventstats last(colA) as last_colA, last(colB) as last_colB by keyfield
| transaction keyfield
| table colA, colB, last_colA, last_colB, keyfield
That said transaction and eventstats is REALLY REALLY inefficient. I would suggest eliminating transaction command altogether because it can be a monster resource hog and yield incomplete results when used for high volume searches. Eventstats is pretty brutal too.
Alternatives...
| stats list(colA) AS colA last(colA) as last_colA list(colB) AS colB last(colB) as last_colB by keyfield
OR
| stats list(colA) AS colA list(colB) AS colB by keyfield
| eval last_colA=mvindex(colA,-1)
| eval last_colB=mvindex(colB,-1)
Let me know if this works and relative performance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
snoobzilla
Builder
01-16-2017
08:51 AM
Did you sort this out?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
01-03-2017
11:44 AM
Do you get single value for last_colA and last_colB columns OR multivalued fields?
Get Updates on the Splunk Community!
What You Read The Most: Splunk Lantern’s Most Popular Articles!
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
See your relevant APM services, dashboards, and alerts in one place with the updated ...
As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Index This | What goes away as soon as you talk about it?
May 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this month’s ...
