Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use streamstats to display the last current result?

desslerlee
Explorer
‎01-25-2018 02:05 AM

Hi all,

I am trying to use streamstats to display an event for a particular user, their current Payment Number for this month, and the subsequent Payment number for the next event. (Do note that I sort the date in reverse order).

 | sort  -TransactDate
  | streamstats current=f window=1 last("Payment Number") as NextPaymentNumber  
  | table  Username,  "TransactDate","Payment Number", NextPaymentNumber

I almost get the result I want as below:

 Username       TransactDate         Payment Number      NextPaymentNumber
    Adam                   2/2/2017               2                       3
    Adam                   2/1/2017               1                       2

However, what I need is something like below:

Username       TransactDate         Payment Number      NextPaymentNumber
     Adam                   2/3/2017               3                       3
    Adam                   2/2/2017               2                       3
    Adam                   2/1/2017               1                       2

Where the record on 2/3/2017 is the latest record, and the latest and maximum Payment number is 3.

Please advice how could I achieve that? Thanks!

Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎01-25-2018 04:53 PM

Try something like this

 your search that gets the payments (most recent first)
| reverse
| streamstats count as payno by Username
| reverse
| streamstats current=f window=1 last(payno) as nextpayno by Username
| eval nextpayno = coalesce(nextpayno, payno)

View solution in original post

Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎01-25-2018 04:53 PM

Try something like this

 your search that gets the payments (most recent first)
| reverse
| streamstats count as payno by Username
| reverse
| streamstats current=f window=1 last(payno) as nextpayno by Username
| eval nextpayno = coalesce(nextpayno, payno)
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎01-25-2018 01:47 PM

Do you want to add an extra row for each user with latest date (max date +1) and latest (max + 1) PaymentNumber?

0 Karma
Reply
Solved! Jump to solution

mayurr98
Super Champion
‎01-25-2018 02:38 AM

i am getting the results with your query!

| makeresults 
|  eval raw="Adam2/2/201723 Adam2/1/201712 Adam2/3/201733" 
| makemv raw
| mvexpand raw 
| rex field=raw "(?<Username>[^\d]+)(?<TransactDate>\d\/\d\/\d{4})(?<PaymentNumber>\d)(?<NextPaymentNumber>\d)" 
|  fields- raw _time | sort- TransactDate | streamstats   last("PaymentNumber") as NextPaymentNumber 
| table Username, "TransactDate","PaymentNumber", NextPaymentNumber

can you try putting table command | table Username, "TransactDate","Payment Number", NextPaymentNumber before streamstats and see if you are getting a proper table with descending transactdate.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...