Splunk Search

Change the evaluation direction of streamstats?

keycoldstorage
Explorer

The streamstats last function is very close to a very important tool in my workflow; however, I would like it to evaluate in the opposite direction. My first thought was to use first, but that is definitely not the opposite of last in Splunk parlance as last continues to evaluate as one would expect of a streamstat, whereas first only repeats the single first seen value even if additional values are encountered in the stream.

Specifically, if an event table is shown with time descending order where the newest events are at the top of the table, the last function will repeat a value for the newest known until it gets "down" in time to the next known value and repeat that one from there down and so on. In other words, the last function repeats the last known value back in time until it gets to the next last known value. Makes sense!

Problem is, I want the opposite! I want a function that will repeat a known value forward in time until it encounters a newer known value in the stream.

Is there a way to reverse the order of evaluation for streamstats?

Tags (2)
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

Just do | sort _time before the streamstats command, and continue to use last()

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

Just do | sort _time before the streamstats command, and continue to use last()

michaeltokar
Explorer

Sort has a limit on how many events it can process, however, so this is not always practical.

0 Karma

HeinzWaescher
Motivator

to avoid the limit use

| sort 0 _time

0 Karma

keycoldstorage
Explorer

Wonderful, thank you!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...