Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

stats latest not returning a value

cphair
Builder
‎04-11-2012 08:06 AM

Hello,

I have a silly problem. I can't get stats latest(_time) to return a value. It's a basic search--just trying to find the last time each host reported in.



index=foo | stats latest(_time) by host

earliest(_time) seems to work, and so do the first and last functions, but latest just gives me a blank entry. What's going on? If it matters, this is perfmon data and I think it's pretty clean. It's not just the _time field either; no field I pass to latest is giving me a result.

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎04-11-2012 08:41 AM

In the mean time, use;

|metadata type=hosts index=foo | eval Last_seen = strftime(lastTime, "%Y-%m-%d %H:%M:%S")| fields + host Last_seen

EDIT: Much faster than what I just posted. Deleted that. Sorry.
EDIT AGAIN: cut-n-paste silliness. Corrected now.

/k

View solution in original post

Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎04-11-2012 08:41 AM

In the mean time, use;

|metadata type=hosts index=foo | eval Last_seen = strftime(lastTime, "%Y-%m-%d %H:%M:%S")| fields + host Last_seen

EDIT: Much faster than what I just posted. Deleted that. Sorry.
EDIT AGAIN: cut-n-paste silliness. Corrected now.

/k

Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎03-26-2013 01:54 PM

The workaround is for this particular question: "At what time did we receive the last message for each host?"

This can be answered by querying the metdata instead of the events themselves. Pretty much the same by which Splunk instantly 'knows' and presents the times for the oldest/newest event in the landing page for the Search app and for each index in Manager -> Indexes.

The lastTime is returned (in epoch format) by the |metadata search command. To present it in a nicer fashion it is then eval:ed with strftime.

Have you tried it?

0 Karma
Reply
Solved! Jump to solution

srowe
Explorer
‎03-26-2013 01:45 PM

I don't understand the workaround. Where are we supposed to get lastTime? isn't that the whole point with using the latest function? I am using version 5.0.1 and still experiencing this issue.

0 Karma
Reply
Solved! Jump to solution

cphair
Builder
‎04-11-2012 10:07 AM

Works nicely. Thank you.

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎04-11-2012 08:13 AM

This most definitely seems to be a bug. Others have reported the same problem, so you're not alone. Have a look at http://splunk-base.splunk.com/answers/42084/latest-function-in-stats-not-working-without-earliest

Reply
Solved! Jump to solution

cphair
Builder
‎04-11-2012 08:17 AM

Yep, that's exactly it. Guess I should search more carefully before I post. Thanks!

My Splunk version is 4.3 build 115073, if that helps you.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...