×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
user-mcuserface
Engager
Member since: ‎11-24-2023
‎11-28-2023
Community Statistics
Posts 2
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎11-24-2023
Activity Feed
View All

Re: Locate latest record by some grouping field

by in Splunk Search
‎11-27-2023 02:47 AM
‎11-27-2023 02:47 AM
@PickleRick wrote: 3. [...] data onboarding includes finding the proper "main" timestamp within the event (some events can have multiple timestamps; in such case you need to decide which is the primary timestamp for the event) and making sure it's getting parsed out properly so that the event is indexed at the proper point in time That field is `my_timestamp` I'm currently using sourcetype `_json`, with the hope that I don't need to get into parsing data too much.  However, in order to fetch a latest metric by `my_timestamp` I guess I either somehow need to tell splunk that that field is a timestamp, or just treat this (ISO format) timestamp as a string for that purpose (since ISO strings do sort correctly)?  If the former, perhaps I need to define a new sourcetype? 4. Yes, latest(X) looks for the latest value of field X. It doesn't mind any other fields. So latest(X) and latest(Y) will show you latest seen values of respectably fields X and Y but they don't have to be from the same event. If one event had only field X, and other one had only field Y, you'd still get both of them in your results since either of them was the last occurrence of respsective field. How should I approach this to get a latest record, rather than the latest field? ... View more

Locate latest record by some grouping field

by in Splunk Search
‎11-24-2023 03:37 PM
‎11-24-2023 03:37 PM
With a query like the following (I've simplified it a little here and renamed some fields) index="my-test-index" project="my-project" | eval _time = strptime(my_timestamp, "%Y-%m-%dT%H:%M:%S.%N+00:00") | stats latest(my_timestamp) latest(_time) latest(my_count) as my_count by project I see behaviour that surprised me: 1. If I repeatedly issue the query, the value of my_count varies 2. It appears the rows from which my_count is taken are always those without a _time value resulting from the eval in my query (because either `my_timestamp` did not match the strptime format, or that field was not present when the record was ingested into splunk -- my data has both cases) 3. In the output of the search, the value of my_timestamp returned does not always come from the same ingested record as my_count. 4. In fact, the value of my_timestamp in the search output is always taken from the same single record: it doesn't change when I repeatedly issue the query. I guess 1. and 2. are because "null" (or empty or some similar concept) _time values aren't really expected and happen to sort latest. I guess 3. is because function `latest` operates field-by-field, and is not selecting a whole row -- combined again with the fact that some _time values are null. 4. I don't understand, but perhaps is a coincidence and is not reliably true in general outside of my data set etc., I'm not sure. What I really want is to find the ingested record with the latest value of `my_timestamp` for a given `project`, so I can present fields like `my_count` by `project` in a "most recent counts" table. I don't really want to operate on individual fields' "latest" values as in the query above, but rather latest entire records. How can I best achieve that in splunk? ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎11-28-2023 02:59 PM
Karma given to
View All