Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

stats latest not returning a value

cphair
Builder
‎04-11-2012 08:06 AM

Hello,

I have a silly problem. I can't get stats latest(_time) to return a value. It's a basic search--just trying to find the last time each host reported in.



index=foo | stats latest(_time) by host

earliest(_time) seems to work, and so do the first and last functions, but latest just gives me a blank entry. What's going on? If it matters, this is perfmon data and I think it's pretty clean. It's not just the _time field either; no field I pass to latest is giving me a result.

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎04-11-2012 08:41 AM

In the mean time, use;

|metadata type=hosts index=foo | eval Last_seen = strftime(lastTime, "%Y-%m-%d %H:%M:%S")| fields + host Last_seen

EDIT: Much faster than what I just posted. Deleted that. Sorry.
EDIT AGAIN: cut-n-paste silliness. Corrected now.

/k

View solution in original post

Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎04-11-2012 08:41 AM

In the mean time, use;

|metadata type=hosts index=foo | eval Last_seen = strftime(lastTime, "%Y-%m-%d %H:%M:%S")| fields + host Last_seen

EDIT: Much faster than what I just posted. Deleted that. Sorry.
EDIT AGAIN: cut-n-paste silliness. Corrected now.

/k

Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎03-26-2013 01:54 PM

The workaround is for this particular question: "At what time did we receive the last message for each host?"

This can be answered by querying the metdata instead of the events themselves. Pretty much the same by which Splunk instantly 'knows' and presents the times for the oldest/newest event in the landing page for the Search app and for each index in Manager -> Indexes.

The lastTime is returned (in epoch format) by the |metadata search command. To present it in a nicer fashion it is then eval:ed with strftime.

Have you tried it?

0 Karma
Reply
Solved! Jump to solution

srowe
Explorer
‎03-26-2013 01:45 PM

I don't understand the workaround. Where are we supposed to get lastTime? isn't that the whole point with using the latest function? I am using version 5.0.1 and still experiencing this issue.

0 Karma
Reply
Solved! Jump to solution

cphair
Builder
‎04-11-2012 10:07 AM

Works nicely. Thank you.

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎04-11-2012 08:13 AM

This most definitely seems to be a bug. Others have reported the same problem, so you're not alone. Have a look at http://splunk-base.splunk.com/answers/42084/latest-function-in-stats-not-working-without-earliest

Reply
Solved! Jump to solution

cphair
Builder
‎04-11-2012 08:17 AM

Yep, that's exactly it. Guess I should search more carefully before I post. Thanks!

My Splunk version is 4.3 build 115073, if that helps you.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...