- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- SQL samples in splunk
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just getting started with Splunk & after a little direction.
I have a SQL query that returns a list of requests that a database is handling and some info about those requests.
I output the data as rows of key=value pairs & that's appearing nicely in Splunk (thanks to the various posts about how best to do this).
The one thing I'm struggling with is being able to show only the last set of rows output by the monitor. I include in the output a timestamp which is the same for all rows on each sample interval. The problem is I currently get all rows from all samples, when what I need is all rows from the last sample only - these have the latest/max/last timestamp.
My time format is "2013-05-17 17:41:25", but if needed I could output epoch if that's easier.
I'm sure this is a simple thing, but just starting out so need some pointers about where to look/approach.
Thanks
Ok, got a little further;
I think I've got a little further with this now, but I'm still getting multiple samples in my data. I should have said that each sample contains a variable number of rows - say 20-30, and I only want a table containing the that last block of samples.
Anyway - this is what I have;
monitoringInstance=myInstanceName | eval timeEpoch=strptime(timestamp, "%F %H:%M:%S") | stats max(timeEpoch) as lastSample | where timeEpoch=lastSample | table timeEpoch lastSample timestamp requestColumn1 requestColumn2 requestColumn3 requestColumn4
lastSample has the epoch of my last sample time.
timeEpoch contains the conversion of timestamp as an epoch
I think it's the where clause that's letting me down.....or the fact it's wrong 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One simple (but not necessarily high performance) approach is to use dedup. The dedup command will by default show only the newest (by time) event for a given set of fields. But, this might not be exactly the same as what you are looking for here.
But here is another approach that might do what you want:
monitoringInstance=myInstanceName
| eventstats max(_time) as lastSample
| where _time=lastSample
| table _time requestColumn1 requestColumn2 requestColumn3 requestColumn4
The eventstats command works differently from the standard stats command in that instead of aggregating your results to a smaller set of rows, it appends new fields to your existing results -- thus making your where work better.
Also, I replaced your epochTime with _time which is a Splunk built-in variable based on its own parsing of the time of the event into epoch.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One simple (but not necessarily high performance) approach is to use dedup. The dedup command will by default show only the newest (by time) event for a given set of fields. But, this might not be exactly the same as what you are looking for here.
But here is another approach that might do what you want:
monitoringInstance=myInstanceName
| eventstats max(_time) as lastSample
| where _time=lastSample
| table _time requestColumn1 requestColumn2 requestColumn3 requestColumn4
The eventstats command works differently from the standard stats command in that instead of aggregating your results to a smaller set of rows, it appends new fields to your existing results -- thus making your where work better.
Also, I replaced your epochTime with _time which is a Splunk built-in variable based on its own parsing of the time of the event into epoch.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
figuring that this might be faster, since you'll search over a smaller, yet undefined timespan. The subsearch grabs the time from the last event and passes it to the outer search as earliest:
monitoringInstance=myInstanceName
[search monitoringInstance=myInstanceName
| head 1
| eval earliest = _time
| fields + earliest
]
| table _time blah0 blah1 blah2
/k
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Excellent!! That's just what I needed - works a treat.
Many thanks for that one.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
