Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to return the latest events where one field is equal to a certain value without using subsearches?

DEngineer1
New Member
‎05-15-2016 05:09 AM

Hi Guys,

I have got a problem which I need to return results when 1 field is of a certain value BUT only after a certain event.

Serial_No   Complete
     7         0
     5         0
     4         0
     3         1
     2         1
     1         0

In the case above, I only need to return rows where complete==0 BUT only considering rows that are after complete==1 (so the row where Serial_No==1 is not considered)

In the example above the results will be:

Serial_No   Complete
     7         0
     5         0
     4         0

Any possibility to get the result without any subsearches?
Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-15-2016 10:31 AM

Try like this

your current search giving Serial_No Complete | sort 0 Serial_No | streamstats sum(Complete) as temp | where temp>0

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-15-2016 10:31 AM

Try like this

your current search giving Serial_No Complete | sort 0 Serial_No | streamstats sum(Complete) as temp | where temp>0
0 Karma
Reply
Solved! Jump to solution

DEngineer1
New Member
‎05-16-2016 04:06 AM

Hey thanks for the recommendation, streamstats really give me the "light bulb"

I was thinking this might work:

"search"| sort + Serial | streamstats window=2 global=f current=t first(complete) as next_com, first(serial) as next_serial | fields serial, complete, next_serial, next_com | eval test=if(complete > next_com, serial, 0) | fields serial, complete, test | eventstats max(test) as m_test | where complete == 0 | where (serial > m_test)

However I do not know is this an efficient search...

Comparing to using sub-search, will this be a faster search?

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎05-16-2016 09:03 AM

The efficiency will depend upon the amount of processing to be done. Your search is doing extra stuff so it might be slower than my query. If your query is working for you, just try like this

 "search"| sort + Serial | streamstats window=2 global=f current=t first(complete) as next_com, first(serial) as next_serial | fields serial, complete, next_serial, next_com | eval test=if(complete > next_com, serial, 0) | eventstats max(test) as m_test | where complete == 0 AND (serial > m_test)
0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...