Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

print latest and values of status in an order.

sandeepmakkena
Contributor
‎11-08-2019 05:14 PM

I have some this like this 

|stats value(status) by time, id

I want to print the latest time, values(status) in the order they got indexed or they happened by id.

Can someone help, Thanks!

0 Karma
Reply

woodcock
Esteemed Legend
‎11-09-2019 02:03 PM

If you use the values() aggregation function, it will sort them alphabetically but if you use the list() aggregation function, it will preserve the order of the events at the point you called stats.

Reply

jacobpevans
Motivator
‎11-08-2019 05:56 PM

Greetings @sandeepmakkena,

Please expand more. Based on what little you've provided, try this:

|stats value(status) latest(_indextime) as _indextime latest(_time) as _time by time, id
| convert ctime(_indextime) as indextime
| convert ctime(_time) as _time

Cheers,
Jacob

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma
Reply

sandeepmakkena
Contributor
‎11-08-2019 06:05 PM

Values(status) are printing in alphabetical order, I want them to be in the order of they occurred.

0 Karma
Reply

jacobpevans
Motivator
‎11-08-2019 06:09 PM 
 | stats value(status) as statuses latest(_time) as _time by id
 | sort _time

You haven't provided enough information for us to help you. Can you provide a snippet of censored data and what you'd like the output to look like?

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma
Reply

sandeepmakkena
Contributor
‎11-08-2019 07:05 PM

What you are saying will sort all the results but, not the status from values(status) output.

0 Karma
Reply

jacobpevans
Motivator
‎11-13-2019 02:34 PM

See @woodcock 's answer

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
Reply
Get Updates on the Splunk Community!

New This Month - Splunk Observability updates and improvements for faster ...

What’s New? This month, we’re delivering several enhancements across Splunk Observability Cloud for faster and ...

What's New in Splunk Cloud Platform 9.3.2411?

Hey Splunky People! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2411. This release ...

Buttercup Games: Further Dashboarding Techniques (Part 6)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top