Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

understand eval vs stats vs max values

Skwerl23
Loves-to-Learn Lots
‎08-11-2023 02:11 PM

i'm trying to grab all items based on a field. the field is a "index" identifier from my data. but i only want the most recent one in my dashboard.

Since eval doesn't have a max function ... e.g.

 

eval max_value = max(index)  | where index=max_value

 

is eventstats the only way to do this? These seems like a lot of overhead vs just getting a max value

 

eventstats max(index) as max_value | where index=max_value

 

is there another way to do this betteR?

Labels (2)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎08-13-2023 09:41 PM

eval + max applies to a single field in an event, rather than across all the events. If you have a multivalue field in an event, than max(field) will get the highest value.

To get 'max' across events, if 'index' in your case is numeric, then eventstats + max is appropriate, however, eventstats + latest(index) would be a more general solution if you want the 'latest' value of index based on the time of the event - as @ITWhisperer says, events are normally chronological order, so dedup can work, but it's not always true that it does.

If you're only interested in some fields from the event that has the latest 'index', then you may be able to use stats rather than eventstats, but that will depend on what you're intending to do after this with the results

 

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-12-2023 12:23 AM

Events are usually retrieved in reverse chronological order and dedup keeps the first one it finds so you could try this

| dedup index
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎08-11-2023 04:38 PM

A solution more efficient than eventstats quite depends on how this index identifier is populated, where it is populated, and how frequently it is populated.  I suspect that this index identifier is not the field index itself as your demo code implies.  Is it?

i only want the most recent one in my dashboard.

The word "recent" suggests that different indices are populated at different times.  Why is max(index) an effective method to determine which one contains the most recent data?

Because of these conflicting references, it is unclear what you mean by "the most recent one".  Do you mean one index is populated only after another index stopped population? (I.e., no two indices contain overlapping time periods.)  Or do you mean you want the index that contains data that is populated last?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
Top