- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- group by from fields
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
group by from fields
I have events similar to these:
component, technology, mydate
silva, java, 06/20/2019
souza, java, 06/20/2019
silva, java, 07/20/2019
silva, python, 12/07/2019
uol, python, 09/07/2019
I would like to group the events by the technology field, taking all the events that have the largest date. But I can only bring up an event when I try to bring in the latest date using the search:
index = "you" | stats max (mydate) as best by technology
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Add this before your stats line:
... | eval mydate = strptime(mydate, "%m/%d/%Y")
Then add this to the end:
... | eval fieldformat mydate = strftime(mydate, "%m/%d/%Y")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this!
|dedup technology sortby -mydate
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe I didn't express myself well. I need to group display all latest events by date by technology. And sometimes I have more than one event with the same date and same technology.
This works better, thanks for the tip.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are still not expressing your needs well. Post sample events, then post a mockup of your desired output. It really is just that simple. You post that and we will post the SPL.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The max function needs a numeric argument, not the strings in the mydate field. Convert the dates into epochs and you should have your results.
index = "you" | eval epoch=strptime(mydate, "%m/%d/%Y")
| stats max(epoch) as best by technology
| eval best = strftime(epoch, "%m/%d/%Y")
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe I didn't express myself well. I need to group display all latest events by date by technology. And sometimes I have more than one event with the same date and same technology.
Thanks for the max tip.
Introducing the Splunk Community Dashboard Challenge!
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
