Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

stats/streamstats to display only last 2 result/row

yuming1127
Path Finder
‎05-16-2021 08:52 PM

Hi, i'm looking for a solution which only show the last and last-1 result using stats or streamstats function.  Aim is to only display something like max(row) and max(row)-1

my search...

| stats values(product_tag*) as product_tag* values(*) as * by product,color,product_tag

outcome

productcolorproduct_tagdescription
phoneredabc_1blabla1
phoneredabc_2blabla2
phoneredabc_3blabla3
phoneredabc_4blabla4

 

desired outcome

productcolorproduct_tagdescription
phoneredabc_3blabla3
phoneredabc_4blabla4

 or 

productcolorproduct_tagdescription
phoneredabc_4blabla4
phoneredabc_3blabla3

 

Labels (1)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎05-16-2021 09:29 PM

@yuming1127 

try this.

YOUR_SEARCH
| eval a=1 | accum a | eventstats max(a) as mx | where a=mx OR a=mx-1

 

Sample:

| makeresults 
| eval _raw="product	color	product_tag	description
phone	red	abc_1	blabla1
phone	red	abc_2	blabla2
phone	red	abc_3	blabla3
phone	red	abc_4	blabla4" 
| multikv forceheader=1 
| table product color product_tag description
| eval a=1 | accum a | eventstats max(a) as mx | where a=mx OR a=mx-1

 

Thanks
KV
▄︻̷̿┻̿═━一

If this reply helps you, an upvote would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

yuming1127
Path Finder
‎05-16-2021 10:13 PM

Great one KV,

one more addition question,  how do i display the product_tag i search and the one previous of it.

For example:

my search...

| stats values(product_tag*) as product_tag* values(*) as * by product,color,product_tag

|  search product_tag=abc_3 

Outcome

productcolorproduct_tagdescription
phoneredabc_3blabla3

 

Desired outcome

tcolorproduct_tagdescription
phoneredabc_2blabla2
phoneredabc_3blabla3

 

really appreciate your help.

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎05-16-2021 10:27 PM

@yuming1127 

For your search product_tag  scenario try this. 

YOUR_SEARCH
| eval a=1 , search_product_tag="YOUR_SEARCH_TAG"
| accum a 
| eventstats max(eval(if(search_product_tag==product_tag,a,null()))) as mx
| where a=mx OR a=mx-1
| table product	color	product_tag	description

 

Sample Search:

| makeresults 
| eval _raw="product	color	product_tag	description
phone	red	abc_1	blabla1
phone	red	abc_2	blabla2
phone	red	abc_3	blabla3
phone	red	abc_4	blabla4" 
| multikv forceheader=1 
| table product color product_tag description 
| eval a=1 , search_product_tag="abc_3"
| accum a 
| eventstats max(eval(if(search_product_tag==product_tag,a,null()))) as mx
| where a=mx OR a=mx-1
| table product	color	product_tag	description

 

Thanks
KV
▄︻̷̿┻̿═━一

If this reply helps you, an upvote would be appreciated.

Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎05-16-2021 09:29 PM

@yuming1127 

try this.

YOUR_SEARCH
| eval a=1 | accum a | eventstats max(a) as mx | where a=mx OR a=mx-1

 

Sample:

| makeresults 
| eval _raw="product	color	product_tag	description
phone	red	abc_1	blabla1
phone	red	abc_2	blabla2
phone	red	abc_3	blabla3
phone	red	abc_4	blabla4" 
| multikv forceheader=1 
| table product color product_tag description
| eval a=1 | accum a | eventstats max(a) as mx | where a=mx OR a=mx-1

 

Thanks
KV
▄︻̷̿┻̿═━一

If this reply helps you, an upvote would be appreciated.

Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...