- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Can you help me with an issue I'm having with the ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you help me with an issue I'm having with the latest() function in a timechart?
Hi,
I have data like mentioned below
28-11-01 10:30:13,127 digits=30
28-11-01 07:20:08,240 digits=50
28-11-01 05:01:18,101 digits=60
28-11-01 12:12:22,127 digits=120
09-12-01 12:12:22,127 digits=180
10-01-01 05:01:18,101 digits=500
i want to display the latest digit using a timeline chart. I have written a query like | timechart latest(digits) as latestRecord and it's working fine, but when running this a couple of times in the span of the last 3 months, November months keep changing the output. Like one time, it's displaying 30 — another time 50, 60, 120 like that
if i run multiple times also, expected output:
2018-11 30
2018-12 180
2019-01-500
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe that your example output is wrong (should be 120 not 30); try this:
| makeresults
| eval raw="28-11-01 10:30:13,127 digits=30:::28-11-01 07:20:08,240 digits=50:::28-11-01 05:01:18,101 digits=60:::28-11-01 12:12:22,127 digits=120:::09-12-01 12:12:22,127 digits=180:::10-01-01 05:01:18,101 digits=500"
| makemv delim=":::" raw
| mvexpand raw
| rename raw AS _raw
| rex "^(?<_time>.*?) digits=(?<digits>\d+)$"
| eval _time = strptime(_time, "%d-%m-%y %H:%M:%S,%3n")
| sort 0 - _time
| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"
| bin _time span=1d
| dedup _time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@james_n ,
| timechart latest(digits) as latestRecord assigns a auto span to the time window (1d,1mon etc) based on your time selection.
Try setting a fixed span based on your requirement. For e.g. if you want the latest data per month , set as 1 mon or day as 1d
| timechart span=1mon latest(digits) as latestRecord
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @renjith.nair thanks for your response, but time is selected by the user using time picker and i tried as what you said, even though its working same..no change
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@james_n , that's ok. we just need to set the span. So if we set the span to 1mon as in the above example, the search will pick up the latest digit of that month regardless of what time range user selects. How you define latest ? Is it latest of the month or latest of all time (just 1 value) or latest of the day or latest of another parameter?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i would like to display latest digit in a entire month like above mentioned expected output from the mentioned data. i am writing query i.e, | timechart latest(digits) as latestRecord , if i mention span also like | timechart span=1mon latest(digits) as latestRecord , not working its keep changing.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you dont want a time series, you can use stats as well
eval time=strftime(_time,"%Y-%m")|stats latest(digits) as latestRecord by time
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
