Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to edit my search to find the sum for the late...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to edit my search to find the sum for the latest events with subsearch?
benchdba
New Member
11-17-2016
09:00 AM
Hi,
I am very new to Splunk and have a question about subsearch.
I have some events with the following fields and data:
REC_DATE DB_NAME FILE_NAME TotalMB
20161116165944 PROD F1 50
20161116165944 PROD F2 40
20161116165944 PROD F3 110
20161116170143 PROD F1 50
20161116170143 PROD F2 30
20161116170143 PROD F3 90
20161116170316 DEV F1 30
20161116170316 DEV F2 10
20161116170316 DEV F3 70
20161116170316 DEV F4 80
20161116192215 DEV F1 40
20161116192215 DEV F2 10
20161116192215 DEV F3 90
20161116192215 DEV F4 90
I need to have a result like below:
DB_NAME latest REC_DATE sum(TotalMB)
PROD 20161116170143 1700
DEV 20161116192215 2300
I could get a sum of TotalMB for each DB_NAME, but do not know how to filter this in order to get the latest one:
index=dba_log sourcetype=space_usage | stats sum(TotalMB) by REC_DATE DB_NAME
I think the use of subsearch should help.
Thank you for any help.
-Den
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rjthibod
Champion
12-06-2016
06:18 PM
How about this?
index=dba_log sourcetype=space_usage | eventstats latest(REC_DATE) as latest_rec by DB_NAME | where latest_rec=REC_DATE | stats sum(TotalMB) as TotalMB by DB_NAME REC_DATE
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
davpx
Communicator
11-17-2016
09:51 AM
Try this
index=dba_log sourcetype=space_usage | stats sum(TotalMB) as TotalMB latest(REC_DATE) as REC_DATE by DB_NAME
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
benchdba
New Member
11-17-2016
11:18 AM
Thanks but the result returns the latest REC_DATE but the sum(TotalMB) includes all TotalMB with earlier REC_DATE for the same DB_NAME.
DB_NAME latest REC_DATE sum(TotalMB)
PROD 20161116170143 3700
DEV 20161116192215 4200
The correct result should be included only the sum(TotalMB) just for the latest REC_DATE for each DB_NAME.
Get Updates on the Splunk Community!
Welcome to the Splunk Community!
(view in My Videos)
We're so glad you're here!
The Splunk Community is place to connect, learn, give back, and ...
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...
Adoption of RUM and APM at Splunk
Unleash the power of Splunk Observability
Watch Now
In this can't miss Tech Talk! The Splunk Growth ...
