Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to use tstats and get raw last event?

splunkreal
Motivator
‎01-26-2018 09:34 AM

Hello,

I would like to get raw last event for each source listed by tstats, how to do? I've tried tstats ... | join but no result (see attached)

Thanks.

alt text

* If this helps, please upvote or accept solution 🙂 *
Preview file
1 KB
0 Karma
Reply

splunkreal
Motivator
‎01-29-2018 06:58 AM

Solved with stats

* If this helps, please upvote or accept solution 🙂 *
0 Karma
Reply

493669
Super Champion
‎01-26-2018 09:47 AM

remove |table _time, _raw as here you are considering only two fields in results and trying to join with host, source and index
or you can replace that with |table _time, _raw, host, source, index
Let me know if it gives output...

0 Karma
Reply

splunkreal
Motivator
‎01-29-2018 01:14 AM

no result 😞

* If this helps, please upvote or accept solution 🙂 *
0 Karma
Reply

splunkreal
Motivator
‎01-29-2018 03:37 AM

I tried reverse way and it said tstats must be the first command.

table _time,host,source,index,_raw | head 1

| join host,source,index [search | tstats latest(_time) as latest,earliest(_time) as earliest WHERE (index=* by host source index | eval lastevent=strftime(latest, "%Y-%m-%d %H:%M") | eval firstevent=strftime(earliest, "%Y-%m-%d %H:%M")
| eval stimeyesterday="%".strftime(timeYesterday, "%Y-%m-%d")."%" | eval timeRelative=round(relative_time(now(), "@d")) | where latest < timeRelative | eval datacenter=if(match(host,"s303|s403|s503|s603|s703"),"N","S") | eval resultat=if(latest < timeRelative,"KO","OK") | eval stimerel=strftime(timeRelative, "%Y-%m-%d %H:%M") | sort datacenter,index,host | where NOT like (source,stimeyesterday) | fields - latest earliest timeRelative timeYesterday stimeyesterday stimerel]

* If this helps, please upvote or accept solution 🙂 *
0 Karma
Reply

493669
Super Champion
‎01-29-2018 04:06 AM

yes tstats should be first command .
when you search your query starting with |tstats and ends with
|where NOT like(source,stimeyesterday)
are you getting output?

0 Karma
Reply

splunkreal
Motivator
‎01-29-2018 05:26 AM

Thanks, this works. My question was about _raw data I want to show (of last event)

* If this helps, please upvote or accept solution 🙂 *
0 Karma
Reply

493669
Super Champion
‎01-29-2018 05:42 AM

so finally you are getting _raw data as expected...:)

0 Karma
Reply

splunkreal
Motivator
‎01-29-2018 05:51 AM

No unfortunately 😞

* If this helps, please upvote or accept solution 🙂 *
0 Karma
Reply

493669
Super Champion
‎01-29-2018 06:00 AM

so can you share one sample output after running:

 | tstats latest(_time) as latest,earliest(_time) as earliest WHERE (index=* by host source index | eval lastevent=strftime(latest, "%Y-%m-%d %H:%M") | eval firstevent=strftime(earliest, "%Y-%m-%d %H:%M")  | eval stimeyesterday="%".strftime(timeYesterday, "%Y-%m-%d")."%" | eval timeRelative=round(relative_time(now(), "@d")) | where latest < timeRelative | eval datacenter=if(match(host,"s303|s403|s503|s603|s703"),"N","S") | eval resultat=if(latest < timeRelative,"KO","OK") | eval stimerel=strftime(timeRelative, "%Y-%m-%d %H:%M") | sort datacenter,index,host | where NOT like (source,stimeyesterday)
0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...