Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Use aggregate function latest for each minute to use timechart

wvanloon
New Member
‎11-05-2019 04:41 AM

My data looks like this:

_time:11/5/1912:41:00
ID: 123
Value:10

For each minute I want to know the last value that was known in that minute. How can I achieve this?
The ID is not updated every minute, so if the latest value for a given id at the moment 12:41 is 10 I want the same number for 12:42.

I've tried something like this:
index="" | bin span=1m _time | streamstats current=f window=1440 last(value) AS last_value by id

But I have the feeling I am missing a part.

Thanks in advance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

arjunpkishore5
Motivator
‎11-06-2019 04:07 AM

I think what you're looking for is this.

index = someindex
| fields _time, value, id
| timechart span=1m latest(value) as value by id limit=0
| filldown

If this id has never had a value in the selected time range, then it won't show up.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

arjunpkishore5
Motivator
‎11-06-2019 04:07 AM

I think what you're looking for is this.

index = someindex
| fields _time, value, id
| timechart span=1m latest(value) as value by id limit=0
| filldown

If this id has never had a value in the selected time range, then it won't show up.

0 Karma
Reply
Solved! Jump to solution

wvanloon
New Member
‎11-06-2019 05:37 AM

Thanks this is the beginning for what I was looking for.

After this search I want to be able to count the occurrence of each value by time, any idea?

0 Karma
Reply
Solved! Jump to solution

arjunpkishore5
Motivator
‎11-06-2019 05:24 PM

You're welcome.

The occurrence, is this going to be a separate search? or you want to append to the results of this search?

0 Karma
Reply
Solved! Jump to solution

wvanloon
New Member
‎11-06-2019 11:57 PM

The best way would be to append to this result. But a seperate search would be fine too.

0 Karma
Reply
Solved! Jump to solution

marycordova
SplunkTrust
SplunkTrust
‎11-05-2019 09:30 AM

Does adding _time at the end of your by id clause help?

by id _time

@marycordova
0 Karma
Reply
Solved! Jump to solution

wvanloon
New Member
‎11-06-2019 12:40 AM

No that is not working. The problem is that if you group by id and _time it will not find the latest value before that time if the value for that minute doesn't exist.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...