- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: stats latest(myfield) data for a table?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
stats latest(myfield) data for a table?
So I have a search that I am building, though the results must be output into a table, due to not all fields being present in all instances. Think of this as an 'inventory' type of data input, where some machines have 2 NIC's, 4 HDD's, and others have 8 NIC's and 10HDD's, etc..
I have written a script to collect all of this data, though I am attempting to get the 'latest' results from the past 2 days. If I could use stats it would be very easy | stats latest(host) by field field field field although stats doesn't allow for some fields simply not being present.
When I use table I can easily populate the data, though I must dedup the data first, and I want to be sure I'm getting the latest data.
Is there a way to do this with table somehow?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My suggestion was going to be exactly what @somesoni2 mentioned because your existing | STATS command is backwards of what you want. If you use FILLNULL first, then you can make sure all of your fields have some kind of value:
... your search ... | fillnull field1, field2, field3, field4 value="n/a" | stats latest(field1) as field1, latest(field2) as field2, etc...
If the events you are looking at have all of the relevant fields in a single event, you should be able to use TABLE if you use the SORTBY option with DEDUP first:
... your search ... | dedup host sortby -_time | table host, field1, field2, field3, etc
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just to clarify, do you want the latest host to report all of those fields? Or are you really trying to get the most recent fields reported by each host?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to get the latest entry for every field. Stats will not work, as I've mentioned that not all fields are existent in each instance. stats just causes 'no results' to be found.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why not do other way around?
...| stats latest(field1) as field1 latest(field2) as field2... by host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunatley, this will not work, due to not all fields being present in all instances. stats just causes a 'no results' result set.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this
your base search | fillnull field1 field2... ...| stats latest(field1) as field1 latest(field2) as field2... by host
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
