We always are looking for a way to do specific searches, and it seems complicated when we don't know all the possibilities of the Tool.
So here we are to explore some of them!
Stats functions
First
[search] | stats first() by [parameter]
The first() command will retrieve you all the first logs it founds for each value of the parameter.
So if you use "sort time asc", you will find your the earliest log linked to the parameter... If you sort by alphabetical order, you will retrieve the first element of the list.
Exemple
index=info | stats first() by id
Last
[search] | stats last() by [parameter]
Like first, but take the last element of the list.
Exemple
index=info | stats first() by id
Earliest
[search] | stats earliest() by [parameter]
Like first and last, but will always take the earliest log.
Exemple
index=info | stats earliest() by id
Latest
[search] | stats latest() by [parameter]
Like earliest, but take the latest log.
Exemple
index=info | stats latest() by id
Splunk Stats function documentation
Rename
In a lot of moments, it can be really interesting to rename a variable.
A perfect example is after "| stats first() by id". If you check the name of the parameters returned by the function, they all look like "first(xxx)" except id. But keep "first(xxx)" won't help you do other treatments. So you need to rename variables.
[search] | rename [variable to rename] AS [new name]
Exemple
index=info | rename id AS id_element
Dedup
Removes the logs that contain an identical combination of values for the fields that you specify.
[search] | dedup [list of fields]
Exemple
index=info | dedup id name
Fillnull
Replace null values with the value given in the parameter.
[search] | fillnull value=[new value] [field name]
Exemple
index=info | fillnull value=empty error_code
I hope it will help you!
Top comments (0)