topic How to pull latest event in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-pull-latest-event/m-p/529003#M149350 <P>I have a search/dash board that will show data over the last 30 days, the search is as followed&nbsp;</P> <LI-CODE lang="markup">index=server EventCode=5829 | stats count by ComputerName, Domain, Machine_SamAccountName, Machine_Operating_System </LI-CODE> <P>this search will give me roughly 70~ events a month, the problem is now my customer would like to have the time stamp put on the table, (which is easy by putting just the "_time" field in there) my problem that I am running into is that it will give me 10,000 results now! I showed the customer this and they said it would be fine for me to show just the latest event in the last 30 days for each Machine_SamAccountName.&nbsp;</P> <P>&nbsp;</P> <P>My question is how????&nbsp;</P> Wed, 11 Nov 2020 17:01:30 GMT eb1929 2020-11-11T17:01:30Z How to pull latest event https://community.splunk.com/t5/Splunk-Search/How-to-pull-latest-event/m-p/529003#M149350 <P>I have a search/dash board that will show data over the last 30 days, the search is as followed&nbsp;</P> <LI-CODE lang="markup">index=server EventCode=5829 | stats count by ComputerName, Domain, Machine_SamAccountName, Machine_Operating_System </LI-CODE> <P>this search will give me roughly 70~ events a month, the problem is now my customer would like to have the time stamp put on the table, (which is easy by putting just the "_time" field in there) my problem that I am running into is that it will give me 10,000 results now! I showed the customer this and they said it would be fine for me to show just the latest event in the last 30 days for each Machine_SamAccountName.&nbsp;</P> <P>&nbsp;</P> <P>My question is how????&nbsp;</P> Wed, 11 Nov 2020 17:01:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-pull-latest-event/m-p/529003#M149350 eb1929 2020-11-11T17:01:30Z Re: How to pull latest event https://community.splunk.com/t5/Splunk-Search/How-to-pull-latest-event/m-p/529024#M149356 <P>Does this fulfill the requirements?</P><LI-CODE lang="markup">index=server EventCode=5829 | stats count, latest(_time) as _time by ComputerName, Domain, Machine_SamAccountName, Machine_Operating_System </LI-CODE> Wed, 11 Nov 2020 19:32:15 GMT https://community.splunk.com/t5/Splunk-Search/How-to-pull-latest-event/m-p/529024#M149356 richgalloway 2020-11-11T19:32:15Z