Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- stats latest not returning a value
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I have a silly problem. I can't get stats latest(_time) to return a value. It's a basic search--just trying to find the last time each host reported in.
index=foo | stats latest(_time) by host
earliest(_time) seems to work, and so do the first and last functions, but latest just gives me a blank entry. What's going on? If it matters, this is perfmon data and I think it's pretty clean. It's not just the _time field either; no field I pass to latest is giving me a result.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In the mean time, use;
|metadata type=hosts index=foo | eval Last_seen = strftime(lastTime, "%Y-%m-%d %H:%M:%S")| fields + host Last_seen
EDIT: Much faster than what I just posted. Deleted that. Sorry.
EDIT AGAIN: cut-n-paste silliness. Corrected now.
/k
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In the mean time, use;
|metadata type=hosts index=foo | eval Last_seen = strftime(lastTime, "%Y-%m-%d %H:%M:%S")| fields + host Last_seen
EDIT: Much faster than what I just posted. Deleted that. Sorry.
EDIT AGAIN: cut-n-paste silliness. Corrected now.
/k
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The workaround is for this particular question: "At what time did we receive the last message for each host?"
This can be answered by querying the metdata instead of the events themselves. Pretty much the same by which Splunk instantly 'knows' and presents the times for the oldest/newest event in the landing page for the Search app and for each index in Manager -> Indexes.
The lastTime is returned (in epoch format) by the |metadata search command. To present it in a nicer fashion it is then eval:ed with strftime.
Have you tried it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't understand the workaround. Where are we supposed to get lastTime? isn't that the whole point with using the latest function? I am using version 5.0.1 and still experiencing this issue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Works nicely. Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This most definitely seems to be a bug. Others have reported the same problem, so you're not alone. Have a look at http://splunk-base.splunk.com/answers/42084/latest-function-in-stats-not-working-without-earliest
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yep, that's exactly it. Guess I should search more carefully before I post. Thanks!
My Splunk version is 4.3 build 115073, if that helps you.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Deep insights, no barriers: Splunk Observability Cloud Free Edition
Monitoring AI Agents with Splunk Observability Cloud
[Puzzles] Solve, Learn, Repeat: Tiling
