Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

print latest and values of status in an order.

sandeepmakkena
Contributor
‎11-08-2019 05:14 PM

I have some this like this 

|stats value(status) by time, id

I want to print the latest time, values(status) in the order they got indexed or they happened by id.

Can someone help, Thanks!

0 Karma
Reply

woodcock
Esteemed Legend
‎11-09-2019 02:03 PM

If you use the values() aggregation function, it will sort them alphabetically but if you use the list() aggregation function, it will preserve the order of the events at the point you called stats.

Reply

jacobpevans
Motivator
‎11-08-2019 05:56 PM

Greetings @sandeepmakkena,

Please expand more. Based on what little you've provided, try this:

|stats value(status) latest(_indextime) as _indextime latest(_time) as _time by time, id
| convert ctime(_indextime) as indextime
| convert ctime(_time) as _time

Cheers,
Jacob

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma
Reply

sandeepmakkena
Contributor
‎11-08-2019 06:05 PM

Values(status) are printing in alphabetical order, I want them to be in the order of they occurred.

0 Karma
Reply

jacobpevans
Motivator
‎11-08-2019 06:09 PM 
 | stats value(status) as statuses latest(_time) as _time by id
 | sort _time

You haven't provided enough information for us to help you. Can you provide a snippet of censored data and what you'd like the output to look like?

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma
Reply

sandeepmakkena
Contributor
‎11-08-2019 07:05 PM

What you are saying will sort all the results but, not the status from values(status) output.

0 Karma
Reply

jacobpevans
Motivator
‎11-13-2019 02:34 PM

See @woodcock 's answer

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
Reply
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...