Solved: latest for eventstats does not work

collier31200 · ‎08-10-2015

Hello,

I try to use the latest() option of eventstats in the following way:

| eventstats latest(Status) AS Status_last by Application |sort 0 _time| dedup _raw| table _time  Status Status_last

In fact, I used a regex to define "Status" in a log line and I want to display the Current Status (current log line) and the status value of the previous logs line.

As below the problem is the Status_last raised is not good.

_time Status Status_last
2015-03-31 19:28:05 DEGRADED OPERATIONAL
2015-03-31 19:29:05 OPERATIONAL OPERATIONAL <= instead of Degraded

Please help ! !!

woodcock · ‎08-10-2015

OK, like this:

... | dedup _raw | reverse | streamstats current=f last(Status) AS PrevStatus BY Application | reverse | dedup Application | table _time Applicatoin Status PrevStatus

View solution in original post

woodcock · ‎08-10-2015

OK, like this:

... | dedup _raw | reverse | streamstats current=f last(Status) AS PrevStatus BY Application | reverse | dedup Application | table _time Applicatoin Status PrevStatus

collier31200 · ‎08-10-2015

Perfect ! That's work ! Thanks a lot

richgalloway · ‎08-10-2015

latest(Status) finds the most recent value of Status, not the previous value.

---
If this reply helps you, Karma would be appreciated.

collier31200 · ‎08-10-2015

Therefore how could I find the previous value ?

latest for eventstats does not work

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms