D159
Reputation: 311
stats latest not showing any value for field
We have following query -
index=yyy sourcetype=zzz "RAISE_ALERT" logger="aaa" | table uuid message timestamp | eval state="alert" | append [SEARCH index=yyy sourcetype=zzz "CLEAR_ALERT" logger="aaa" | table uuid message timestamp | eval state="no_alert" ] | stats latest(state) as state by uuid
But this query is not showing anything for state, it shows only uuid.
Query before and without latest works just fine. Here is screenshot of result of everything before stats -
If we replace stats latest with stats first, we can see uuid and state, its just not the latest observed value of state for that uuid.
Any idea as to why this can happen?
Upvotes: 0
Views: 368
Answers (1)
D159
Reputation: 311
Looks like table clause was the issue. Removing both table clauses makes this work.
Upvotes: 1
Related Questions
- Splunk: I am trying to create report by writing a query but the values are not displaying under statistics. How can I resolve this?
- Using stats with a base query
- Splunk - display top values for only certain fields
- How to extract a field from a Splunk search result and do stats on the value of that field
- Splunk produces a table with only one row
- How to extract a value from fields when using stats()
- Splunk query do not return value for both columns together
- Splunk: Unable to get the correct min and max values
- Splunk extracted field in dashboard
- Why won't Splunk recognize these fields?