Hi all,
I'd like to retrieve a field value from the previous event. I've used streamstats last(myfield), but this takes the value from the current event and not from the previous one.
Explanation: I have:
I'd like to have:
Using "streamstats last()" gives me:
Would anyone have any idea?
Regards,
Olivier
It seems to have a documentation mistake on the default value for the "current" parameter. It mentions the default is be false while if you don't set this parameter in the command, it sets it to true! I'm using version 4.2.2, build 101277.
Thank you very much for your answer.
Regards, Olivier
You can add a comment/note to the docs (online), or email docs@splunk.com. Otherwise this comment may go unnoticed.
Use the parameter "current=f" in streamstats.