Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

understand eval vs stats vs max values

Skwerl23
Loves-to-Learn Lots
‎08-11-2023 02:11 PM

i'm trying to grab all items based on a field. the field is a "index" identifier from my data. but i only want the most recent one in my dashboard.

Since eval doesn't have a max function ... e.g.

 

eval max_value = max(index)  | where index=max_value

 

is eventstats the only way to do this? These seems like a lot of overhead vs just getting a max value

 

eventstats max(index) as max_value | where index=max_value

 

is there another way to do this betteR?

Labels (2)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎08-13-2023 09:41 PM

eval + max applies to a single field in an event, rather than across all the events. If you have a multivalue field in an event, than max(field) will get the highest value.

To get 'max' across events, if 'index' in your case is numeric, then eventstats + max is appropriate, however, eventstats + latest(index) would be a more general solution if you want the 'latest' value of index based on the time of the event - as @ITWhisperer says, events are normally chronological order, so dedup can work, but it's not always true that it does.

If you're only interested in some fields from the event that has the latest 'index', then you may be able to use stats rather than eventstats, but that will depend on what you're intending to do after this with the results

 

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-12-2023 12:23 AM

Events are usually retrieved in reverse chronological order and dedup keeps the first one it finds so you could try this

| dedup index
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎08-11-2023 04:38 PM

A solution more efficient than eventstats quite depends on how this index identifier is populated, where it is populated, and how frequently it is populated.  I suspect that this index identifier is not the field index itself as your demo code implies.  Is it?

i only want the most recent one in my dashboard.

The word "recent" suggests that different indices are populated at different times.  Why is max(index) an effective method to determine which one contains the most recent data?

Because of these conflicting references, it is unclear what you mean by "the most recent one".  Do you mean one index is populated only after another index stopped population? (I.e., no two indices contain overlapping time periods.)  Or do you mean you want the index that contains data that is populated last?

0 Karma
Reply
Get Updates on the Splunk Community!

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Top