Splunk Search

stats latest(myfield) data for a table?

Motivator

So I have a search that I am building, though the results must be output into a table, due to not all fields being present in all instances. Think of this as an 'inventory' type of data input, where some machines have 2 NIC's, 4 HDD's, and others have 8 NIC's and 10HDD's, etc..

I have written a script to collect all of this data, though I am attempting to get the 'latest' results from the past 2 days. If I could use stats it would be very easy | stats latest(host) by field field field field although stats doesn't allow for some fields simply not being present.
When I use table I can easily populate the data, though I must dedup the data first, and I want to be sure I'm getting the latest data.

Is there a way to do this with table somehow?

Tags (3)
0 Karma

Communicator

My suggestion was going to be exactly what @somesoni2 mentioned because your existing | STATS command is backwards of what you want. If you use FILLNULL first, then you can make sure all of your fields have some kind of value:

... your search ... | fillnull field1, field2, field3, field4 value="n/a" | stats latest(field1) as field1, latest(field2) as field2, etc...

If the events you are looking at have all of the relevant fields in a single event, you should be able to use TABLE if you use the SORTBY option with DEDUP first:

... your search ... | dedup host sortby -_time | table host, field1, field2, field3, etc
0 Karma

Communicator

Just to clarify, do you want the latest host to report all of those fields? Or are you really trying to get the most recent fields reported by each host?

0 Karma

Motivator

I am trying to get the latest entry for every field. Stats will not work, as I've mentioned that not all fields are existent in each instance. stats just causes 'no results' to be found.

0 Karma

SplunkTrust
SplunkTrust

Why not do other way around?

...| stats latest(field1) as field1 latest(field2) as field2... by host
0 Karma

Motivator

Unfortunatley, this will not work, due to not all fields being present in all instances. stats just causes a 'no results' result set.

0 Karma

SplunkTrust
SplunkTrust

Try something like this

your base search | fillnull field1 field2... ...| stats latest(field1) as field1 latest(field2) as field2... by host