Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

understand eval vs stats vs max values

Skwerl23
Loves-to-Learn Lots
‎08-11-2023 02:11 PM

i'm trying to grab all items based on a field. the field is a "index" identifier from my data. but i only want the most recent one in my dashboard.

Since eval doesn't have a max function ... e.g.

 

eval max_value = max(index)  | where index=max_value

 

is eventstats the only way to do this? These seems like a lot of overhead vs just getting a max value

 

eventstats max(index) as max_value | where index=max_value

 

is there another way to do this betteR?

Labels (2)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎08-13-2023 09:41 PM

eval + max applies to a single field in an event, rather than across all the events. If you have a multivalue field in an event, than max(field) will get the highest value.

To get 'max' across events, if 'index' in your case is numeric, then eventstats + max is appropriate, however, eventstats + latest(index) would be a more general solution if you want the 'latest' value of index based on the time of the event - as @ITWhisperer says, events are normally chronological order, so dedup can work, but it's not always true that it does.

If you're only interested in some fields from the event that has the latest 'index', then you may be able to use stats rather than eventstats, but that will depend on what you're intending to do after this with the results

 

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-12-2023 12:23 AM

Events are usually retrieved in reverse chronological order and dedup keeps the first one it finds so you could try this

| dedup index
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎08-11-2023 04:38 PM

A solution more efficient than eventstats quite depends on how this index identifier is populated, where it is populated, and how frequently it is populated.  I suspect that this index identifier is not the field index itself as your demo code implies.  Is it?

i only want the most recent one in my dashboard.

The word "recent" suggests that different indices are populated at different times.  Why is max(index) an effective method to determine which one contains the most recent data?

Because of these conflicting references, it is unclear what you mean by "the most recent one".  Do you mean one index is populated only after another index stopped population? (I.e., no two indices contain overlapping time periods.)  Or do you mean you want the index that contains data that is populated last?

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top