Splunk Search
Highlighted

Why does "eventstats last()" fail for one column when I add mvlist=t after the transaction command?

Communicator

In my search, I'm using a transaction. After that, I create a table from the results, then I want to apply an eventstats last() function.
In my table, I have two columns, let's say colA, and colB.
If I'm running the transaction without any further arguments, the last() function works for both columns, like this:

| transaction keyfield
| table colA, colB, keyfield
| eventstats last(colA) as last_colA, last(colB) as last_colB by keyfield

However, for another reason, I need to run the transaction with mvlist=t.
When I do this, the eventstats function fails, but only for one column.
In this case, fails for colA, but works fine with colB.

I don't get what is the difference, since I'm having the same type of values in both columns.
If it works for one column, why does it fail for the other one?

0 Karma
Highlighted

Re: Why does "eventstats last()" fail for one column when I add mvlist=t after the transaction command?

SplunkTrust
SplunkTrust

Do you get single value for lastcolA and lastcolB columns OR multivalued fields?

0 Karma
Highlighted

Re: Why does "eventstats last()" fail for one column when I add mvlist=t after the transaction command?

Builder

I am guessing that the issue here is something to do with multivalue fields.

A couple of options come to mind, do eventstats first...

| eventstats last(colA) as lastcolA, last(colB) as lastcolB by keyfield
| transaction keyfield
| table colA, colB, lastcolA, lastcolB, keyfield

That said transaction and eventstats is REALLY REALLY inefficient. I would suggest eliminating transaction command altogether because it can be a monster resource hog and yield incomplete results when used for high volume searches. Eventstats is pretty brutal too.

Alternatives...

| stats list(colA) AS colA last(colA) as lastcolA list(colB) AS colB last(colB) as lastcolB by keyfield

OR

| stats list(colA) AS colA list(colB) AS colB by keyfield
| eval lastcolA=mvindex(colA,-1)
| eval last
colB=mvindex(colB,-1)

Let me know if this works and relative performance.

0 Karma
Highlighted

Re: Why does "eventstats last()" fail for one column when I add mvlist=t after the transaction command?

Builder

Did you sort this out?

0 Karma