Splunk Search

How to add the latest field value from two hosts?

EricLloyd79
Builder

This is probably going to be a simple answer, but I've racked my brain over it for more time than I should have.

I have two hosts. I want to add together the two latest values of a particular field.
I know I can use latest(field) to get the latest value and I can do latest(field) by host to see the latest field per host.
However, I cannot do sum(latest(field)) by host of which I was hoping would work.

I cannot use latest(field) in an eval statement to use the + functionality.

Any ideas?

0 Karma
1 Solution

lguinn2
Legend

Try this!

yoursearchhere host=hostA OR host=hostB
| stats latest(myField) as latestValue by host
| stats sum(latestValue) as Total

View solution in original post

lguinn2
Legend

Try this!

yoursearchhere host=hostA OR host=hostB
| stats latest(myField) as latestValue by host
| stats sum(latestValue) as Total

EricLloyd79
Builder

Thank you again for your answer. Is there a way to put it into a timechart span=1d? I have tried to convert it to
stats latest(requests) as latestRequests by host | timechart span=1d sum(latestRequests) as Total
but that doesnt return any results. Also tried adding timechart at the end after the second stat
I guess stats and timechart can't be mixed... so I'd have to find a way to do the stats functionality with timechart?

0 Karma

lguinn2
Legend

If you want to see the latest requests for each day, you could do it this way

yoursearchhere host=hostA OR host=hostB
| eval date=strftime(_time,"%x")
| stats latest(requests) as latestRequests by host date
| chart sum(latestRequests) as Total by date

The problem is that stats is a summarizing command and timechart needs the time of the event... so you have to figure out a way to do both. This is the best I've thought of so far.

EricLloyd79
Builder

Thanks for all your help. That worked like a charm.

0 Karma

EricLloyd79
Builder

Thank you so much! Worked perfectly. I knew it had something to do with multiple instances of stats.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...