Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

print latest and values of status in an order.

sandeepmakkena
Contributor
‎11-08-2019 05:14 PM

I have some this like this 

|stats value(status) by time, id

I want to print the latest time, values(status) in the order they got indexed or they happened by id.

Can someone help, Thanks!

0 Karma
Reply

woodcock
Esteemed Legend
‎11-09-2019 02:03 PM

If you use the values() aggregation function, it will sort them alphabetically but if you use the list() aggregation function, it will preserve the order of the events at the point you called stats.

Reply

jacobpevans
Motivator
‎11-08-2019 05:56 PM

Greetings @sandeepmakkena,

Please expand more. Based on what little you've provided, try this:

|stats value(status) latest(_indextime) as _indextime latest(_time) as _time by time, id
| convert ctime(_indextime) as indextime
| convert ctime(_time) as _time

Cheers,
Jacob

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma
Reply

sandeepmakkena
Contributor
‎11-08-2019 06:05 PM

Values(status) are printing in alphabetical order, I want them to be in the order of they occurred.

0 Karma
Reply

jacobpevans
Motivator
‎11-08-2019 06:09 PM 
 | stats value(status) as statuses latest(_time) as _time by id
 | sort _time

You haven't provided enough information for us to help you. Can you provide a snippet of censored data and what you'd like the output to look like?

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma
Reply

sandeepmakkena
Contributor
‎11-08-2019 07:05 PM

What you are saying will sort all the results but, not the status from values(status) output.

0 Karma
Reply

jacobpevans
Motivator
‎11-13-2019 02:34 PM

See @woodcock 's answer

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
Reply
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...
Top