Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to use tstats and get raw last event?

splunkreal
Motivator
‎01-26-2018 09:34 AM

Hello,

I would like to get raw last event for each source listed by tstats, how to do? I've tried tstats ... | join but no result (see attached)

Thanks.

alt text

* If this helps, please upvote or accept solution 🙂 *
Preview file
1 KB
0 Karma
Reply

splunkreal
Motivator
‎01-29-2018 06:58 AM

Solved with stats

* If this helps, please upvote or accept solution 🙂 *
0 Karma
Reply

493669
Super Champion
‎01-26-2018 09:47 AM

remove |table _time, _raw as here you are considering only two fields in results and trying to join with host, source and index
or you can replace that with |table _time, _raw, host, source, index
Let me know if it gives output...

0 Karma
Reply

splunkreal
Motivator
‎01-29-2018 01:14 AM

no result 😞

* If this helps, please upvote or accept solution 🙂 *
0 Karma
Reply

splunkreal
Motivator
‎01-29-2018 03:37 AM

I tried reverse way and it said tstats must be the first command.

table _time,host,source,index,_raw | head 1

| join host,source,index [search | tstats latest(_time) as latest,earliest(_time) as earliest WHERE (index=* by host source index | eval lastevent=strftime(latest, "%Y-%m-%d %H:%M") | eval firstevent=strftime(earliest, "%Y-%m-%d %H:%M")
| eval stimeyesterday="%".strftime(timeYesterday, "%Y-%m-%d")."%" | eval timeRelative=round(relative_time(now(), "@d")) | where latest < timeRelative | eval datacenter=if(match(host,"s303|s403|s503|s603|s703"),"N","S") | eval resultat=if(latest < timeRelative,"KO","OK") | eval stimerel=strftime(timeRelative, "%Y-%m-%d %H:%M") | sort datacenter,index,host | where NOT like (source,stimeyesterday) | fields - latest earliest timeRelative timeYesterday stimeyesterday stimerel]

* If this helps, please upvote or accept solution 🙂 *
0 Karma
Reply

493669
Super Champion
‎01-29-2018 04:06 AM

yes tstats should be first command .
when you search your query starting with |tstats and ends with
|where NOT like(source,stimeyesterday)
are you getting output?

0 Karma
Reply

splunkreal
Motivator
‎01-29-2018 05:26 AM

Thanks, this works. My question was about _raw data I want to show (of last event)

* If this helps, please upvote or accept solution 🙂 *
0 Karma
Reply

493669
Super Champion
‎01-29-2018 05:42 AM

so finally you are getting _raw data as expected...:)

0 Karma
Reply

splunkreal
Motivator
‎01-29-2018 05:51 AM

No unfortunately 😞

* If this helps, please upvote or accept solution 🙂 *
0 Karma
Reply

493669
Super Champion
‎01-29-2018 06:00 AM

so can you share one sample output after running:

 | tstats latest(_time) as latest,earliest(_time) as earliest WHERE (index=* by host source index | eval lastevent=strftime(latest, "%Y-%m-%d %H:%M") | eval firstevent=strftime(earliest, "%Y-%m-%d %H:%M")  | eval stimeyesterday="%".strftime(timeYesterday, "%Y-%m-%d")."%" | eval timeRelative=round(relative_time(now(), "@d")) | where latest < timeRelative | eval datacenter=if(match(host,"s303|s403|s503|s603|s703"),"N","S") | eval resultat=if(latest < timeRelative,"KO","OK") | eval stimerel=strftime(timeRelative, "%Y-%m-%d %H:%M") | sort datacenter,index,host | where NOT like (source,stimeyesterday)
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...