Solved: stats unique value by latest time

neophyte · ‎10-01-2021

Hi,

I have ticketing system values in my siem, where different support people working on the ticket. I am trying to create a table where I need to show a table of tickets with the last status only per ticket, for example, if 3 engineers worked on a ticket then this table should show the last updated time and status only. my problem is that the following query is grouping tickets correctly but showing all status values per ticket and also changed the _time format to the integer values

| table_time status service user eventid tickets
| stats values(status) values(service) values(user) values(eventid) by tickets
| convert ctime(_time) sort _time

can you please advise, Regards

richgalloway · ‎10-01-2021

The query is showing all values because you told it to. To see only the latest values use the latest() function.

| table_time status service user eventid tickets
| stats latest(_time) as _time, latest(status) as status, latest(service) as service, latest(user) as user, latest(eventid) as eventid by tickets

---
If this reply helps you, Karma would be appreciated.

View solution in original post

neophyte · ‎10-02-2021

Many Thanks. this worked like a charm.

richgalloway · ‎10-01-2021

The query is showing all values because you told it to. To see only the latest values use the latest() function.

| table_time status service user eventid tickets
| stats latest(_time) as _time, latest(status) as status, latest(service) as service, latest(user) as user, latest(eventid) as eventid by tickets

---
If this reply helps you, Karma would be appreciated.

stats unique value by latest time

stats

Routing logs with Splunk OTel Collector for Kubernetes

New This Month - Observability Updates Give Extended Visibility and Improve User ...

Intro to Splunk Synthetic Monitoring