Turn on suggestions

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Showing results for

Splunk Search

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Showing results for

- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why does the stats function remove my fields and w...

- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page

Highlighted

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

net1993

Path Finder

01-21-2019
05:00 AM

Hi,

I've read a while ago how easier Splunk is vs SQL, but I do not agree within the context of my issue:(

I want to get the latest values based on a field, and then use a different field, but according to SPL, this is not so common, and I need to use hours to hit my head in table

So, basically, here's what I want:

```
|stats latest(_time) by A
```

-> I want now to see/use values for field C, but I cannot as after stats, the only fields that are left are the ones mentioned in stats.

1 Solution

Highlighted

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

kamlesh_vaghela

SplunkTrust

01-21-2019
05:10 AM

@net1993

**Answer Updated from comments:**

Please try this one.

`YOUR_SEARCH | eventstats latest(C) as C1 by A | stats values(C1) as C1 latest(_time) as T by A | eval _time=T | stats sum(C1) as C`

You just remove one by one syntax, you will get the flow of result.

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Eventstats

**My Sample Search:**

```
| makeresults
| eval _raw="A=text1,C=23,Time=20180101", _time=(_time-(86000*4))
| append
[| makeresults
| eval _raw="A=text2,C=33,Time=20180102", _time=(_time-(86000*3)) ]
| append
[| makeresults
| eval _raw="A=text1,C=24,Time=20180103", _time=(_time-(86000*2)) ]
| append
[| makeresults
| eval _raw="A=text2,C=54,Time=20180104", _time=(_time-(86000*1)) ]
| kv
| eventstats latest(C) as C1 by A | stats values(C1) as C1 latest(_time) as T by A | eval _time=T | stats sum(C1) as C
```

**Happy Splunking**

Highlighted
##
Re: Why does the stats function remove my fields and what Splunk solutions can I use for the following order: 1st do lastest(_time) -> then do sum(on the result of latest)

hmm, no this is not doing what I need. I tried but instead of doing grouping , it does something else.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

net1993

Path Finder

01-21-2019
05:14 AM

Highlighted
##
Re: Why does the stats function remove my fields and what Splunk solutions can I use for the following order: 1st do lastest(_time) -> then do sum(on the result of latest)

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

kamlesh_vaghela

SplunkTrust

01-21-2019
06:27 AM

1) Table of your event with your expected fields.

2) Your final expected table

Highlighted
##
Re: Why does the stats function remove my fields and what Splunk solutions can I use for the following order: 1st do lastest(_time) -> then do sum(on the result of latest)

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

kamlesh_vaghela

SplunkTrust

01-21-2019
06:32 AM

@net1993

Can you please try these?

```
|stats latest(_time) as Time by B,C |stats sum(C)
```

OR

```
|stats latest(_time) as Time , latest(C) as C by B |stats sum(C)
```

OR

```
|stats latest(_time) as Time , values(C) as C by B |stats sum(C)
```

Highlighted
##
Re: Why does the stats function remove my fields and what Splunk solutions can I use for the following order: 1st do lastest(_time) -> then do sum(on the result of latest)

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

net1993

Path Finder

01-21-2019
06:33 AM

Yes I hope this is enought.?

Before using stats function I have the following fields:

A, B, C, _time

then I do this:

|stats latest(_time) by B I want to see the resulting values for field C for every value of field B

then If I want to do that :

|stats sum(C) I get error as field C doesnt exist anymore as its not mentioned in stats command.

let me know if not clear

Highlighted
##
Re: Why does the stats function remove my fields and what Splunk solutions can I use for the following order: 1st do lastest(_time) -> then do sum(on the result of latest)

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

kamlesh_vaghela

SplunkTrust

01-21-2019
06:36 AM

@net1993

Can you please share sample output of `A, B, C, _time`

?

Highlighted
##
Re: Why does the stats function remove my fields and what Splunk solutions can I use for the following order: 1st do lastest(_time) -> then do sum(on the result of latest)

## A|C|_time

## A|C|_time

## A|C|_time

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

net1993

Path Finder

01-21-2019
06:52 AM

text1|23|20180101\n

text2|33|20180102\n

text1|24|20180103\n

text2|54|20180104\n

|stats latest(_time) by A

text1|20180103\n

text2|20180104\n

text1|24|20180103\n

text2|54|20180104\n

then I want to do sum on C

and get:

78

Highlighted
##
Re: Why does the stats function remove my fields and what Splunk solutions can I use for the following order: 1st do lastest(_time) -> then do sum(on the result of latest)

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

net1993

Path Finder

01-21-2019
06:57 AM

I marked \n for new line as the reply web form is not recognizing new lines

Highlighted
##
Re: Why does the stats function remove my fields and what Splunk solutions can I use for the following order: 1st do lastest(_time) -> then do sum(on the result of latest)

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

kamlesh_vaghela

SplunkTrust

01-21-2019
06:57 AM

Does `_time`

contain `20180101`

?? Don't you think it should be epoch??