Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Group by oldest Date

anava
New Member
‎04-02-2013 11:38 AM

Search:
stats count by filingType, application, recDate

filingType application recDate count

MN-CORP-FILING LACERTE 2013-03-31 1

MN-CORP-FILING LACERTE 2013-04-01 2

I need to group by oldest recDate so results look like this:

filingType application recDate count

MN-CORP-FILING LACERTE 2013-03-31 3

Tags (1)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎04-02-2013 01:14 PM

You should use stats in a slightly different manner. The problem is that you are now grouping by a field that will have different values, namely the recDate.

Instead you should only group by the first two, and just attach the lowest/earliest value of date for every combination of filingType and application, along with the count. If your recDate is in the format you specify you may need to alter that a bit for sorting purposes.

Alternative A (this assumes that events you have came in chronologically, which makes the last retrieved event have the earliest recDate - remember that a search always returns the newest events first);

...| stats c last(recDate) as recDate by filingType, application

Alternative B (which may be just as good, though just a little longer query);

...| eval rd = strptime(recDate, "%Y-%m-%d") | stats c min(rd) as recDate by filingType, application | eval recDate = strftime(recDate, "%Y-%m-%d")

This converts the date string into epoch for each event, which makes it easy to find the min() of that. Then it's converted back to a string for presentation purposes.

EDIT: typos and errors

Hope this helps,

Kristian

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-02-2013 12:31 PM

You can get the minimum of a field using eventstats: http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/eventstats

0 Karma
Reply

tgow
Splunk Employee
Splunk Employee
‎04-02-2013 12:17 PM

I would check the "sort" command. You can append your search with the following:

| sort recDate

Hope that helps.

0 Karma
Reply

anava
New Member
‎04-02-2013 12:27 PM

That command does not work. In SQL it would read this way:
group by filingType, application, min(recDate)

I need a way of using MIN in splunk

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...