https://community.splunk.com/t5/Alerting/Fetch-latest-timestamp-of-search-records/m-p/693866#M16139 <P>Hi,</P><P>I would like to get the latest search record or multiple search combination.</P><P>For example, if my search is as below</P><P>index=myIndex ABCD AND (Input OR Error)</P><P>I am expecting output as below table format</P><P>Component | Last Input Timestamp| Last Errored Timestamp</P><P>ABCD&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;| 24-03-2024 12:23:23| 24-03-2024 08:23:12</P><P>Search should fetch the timestamp of latest log event of (ABCD and Input) and (ABCD and Error).&nbsp;</P> Fri, 19 Jul 2024 15:12:02 GMT anmohan0 2024-07-19T15:12:02Z https://community.splunk.com/t5/Alerting/Fetch-latest-timestamp-of-search-records/m-p/693866#M16139 <P>Hi,</P><P>I would like to get the latest search record or multiple search combination.</P><P>For example, if my search is as below</P><P>index=myIndex ABCD AND (Input OR Error)</P><P>I am expecting output as below table format</P><P>Component | Last Input Timestamp| Last Errored Timestamp</P><P>ABCD&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;| 24-03-2024 12:23:23| 24-03-2024 08:23:12</P><P>Search should fetch the timestamp of latest log event of (ABCD and Input) and (ABCD and Error).&nbsp;</P> Fri, 19 Jul 2024 15:12:02 GMT https://community.splunk.com/t5/Alerting/Fetch-latest-timestamp-of-search-records/m-p/693866#M16139 anmohan0 2024-07-19T15:12:02Z https://community.splunk.com/t5/Alerting/Fetch-latest-timestamp-of-search-records/m-p/693871#M16140 <LI-CODE lang="markup">| stats latest(eval(if(searchmatch("Error"),_time,null()))) as LastErroredTimestamp latest(eval(if(searchmatch("Input"),_time,null()))) as LastInputTimestamp by Component | fieldformat LastErroredTimestamp=strftime(LastErroredTimestamp,"%F %T") | fieldformat LastInputTimestamp=strftime(LastInputTimestamp,"%F %T")</LI-CODE> Fri, 19 Jul 2024 16:05:04 GMT https://community.splunk.com/t5/Alerting/Fetch-latest-timestamp-of-search-records/m-p/693871#M16140 ITWhisperer 2024-07-19T16:05:04Z https://community.splunk.com/t5/Alerting/Fetch-latest-timestamp-of-search-records/m-p/693873#M16141 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;Thank you very much and you made my day to achieve the desired output.</P><P>Also I would like to pass Component as a dropdown which could be either 1 or 2 or 3 comma separated values as AAAA, BBBB, CCCC and expecting output for each component it should display the Last Input Timestamp and Last Output Timestamp<BR /><BR /></P><P>Component | Last Input Timestamp| Last Errored Timestamp</P><P>AAAA&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;| 24-03-2024 12:23:23| 24-03-2024 08:23:12</P><P>BBBB&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;| 23-03-2024 10:12:44| 24-02-2024 05:45:22</P><P>CCCC&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;| 12-05-2024 11:01:00| 04-05-2024 01:23:12</P><P>Any help to achieve this would be really appreciated!</P> Fri, 19 Jul 2024 16:39:40 GMT https://community.splunk.com/t5/Alerting/Fetch-latest-timestamp-of-search-records/m-p/693873#M16141 anmohan0 2024-07-19T16:39:40Z https://community.splunk.com/t5/Alerting/Fetch-latest-timestamp-of-search-records/m-p/693881#M16142 <P>This is a different question - you could modify your search to use something like Component IN $componentselection$ but it depends on how your dashboard is set up</P> Fri, 19 Jul 2024 17:32:04 GMT https://community.splunk.com/t5/Alerting/Fetch-latest-timestamp-of-search-records/m-p/693881#M16142 ITWhisperer 2024-07-19T17:32:04Z https://community.splunk.com/t5/Alerting/Fetch-latest-timestamp-of-search-records/m-p/709194#M16258 <P>Thanks a lot&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;, you saved me and it works seamlessly the way I wanted</P> Mon, 20 Jan 2025 06:01:27 GMT https://community.splunk.com/t5/Alerting/Fetch-latest-timestamp-of-search-records/m-p/709194#M16258 anmohan0 2025-01-20T06:01:27Z