https://community.splunk.com/t5/Splunk-Search/How-to-maintain-latest-value-for-multiple-values-of-a-field/m-p/534543#M151059 <LI-CODE lang="markup">|makeresults | eval _raw="HOST VALUE Host1 1 Host2 4 Host3 2 Host2 7 Host3 5 Host1 8" | multikv forceheader=1 | table HOST VALUE | rename COMMENT as "this is your sample. from here, the logic" | reverse | streamstats count | reverse | eval tmp=count."_".HOST."_".VALUE | streamstats values(tmp) as tmp | streamstats count as session | mvexpand tmp | rex field=tmp "\d_(?&lt;HOST&gt;\w+)_(?&lt;VALUE&gt;\d)" | streamstats first(VALUE) as VALUE by session HOST | eval tmp2=HOST."-".VALUE | streamstats first(HOST) as HOST first(VALUE) as VALUE values(tmp2) as LATEST by session | stats values(LATEST) as LATEST by session HOST VALUE delim="," | fields - session | nomv LATEST</LI-CODE> Thu, 31 Dec 2020 08:37:14 GMT to4kawa 2020-12-31T08:37:14Z https://community.splunk.com/t5/Splunk-Search/How-to-maintain-latest-value-for-multiple-values-of-a-field/m-p/534488#M151045 <P>Given the following events</P><TABLE border="1" width="36%"><TBODY><TR><TD width="16.666666666666668%">HOST</TD><TD width="33.333333333333336%">VALUE</TD></TR><TR><TD width="16.666666666666668%">Host1</TD><TD width="33.333333333333336%">1</TD></TR><TR><TD width="16.666666666666668%">Host2</TD><TD width="33.333333333333336%">4</TD></TR><TR><TD width="16.666666666666668%">Host3</TD><TD width="33.333333333333336%">2</TD></TR><TR><TD>Host2</TD><TD>7</TD></TR><TR><TD>Host3</TD><TD>5</TD></TR><TR><TD>Host1</TD><TD>8</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>How do I maintain the latest value for each host to give result like below?<BR /><BR /></P><TABLE border="1" width="24.903474903474905%"><TBODY><TR><TD width="25%" height="25px">HOST</TD><TD width="12.5%" height="25px">VALUE</TD><TD width="12.5%">LATEST</TD></TR><TR><TD width="25%" height="25px">Host1</TD><TD width="12.5%" height="25px">1</TD><TD width="12.5%">Host1-1</TD></TR><TR><TD width="25%" height="25px">Host2</TD><TD width="12.5%" height="25px">4</TD><TD width="12.5%">Host1-1,Host2-4</TD></TR><TR><TD width="25%" height="25px">Host3</TD><TD width="12.5%" height="25px">2</TD><TD width="12.5%">Host1-1, Host2-4, Host3-2</TD></TR><TR><TD width="25%" height="25px">Host2</TD><TD width="12.5%" height="25px">7</TD><TD width="12.5%">Host1-1, Host2-7, Host3-2</TD></TR><TR><TD width="25%" height="25px">Host3</TD><TD width="12.5%" height="25px">5</TD><TD width="12.5%">Host1-1, Host2-7, Host3-5</TD></TR><TR><TD width="25%" height="25px">Host1</TD><TD width="12.5%" height="25px">8</TD><TD width="12.5%">Host1-8, Host2-7, Host3-5</TD></TR></TBODY></TABLE> Wed, 30 Dec 2020 14:46:39 GMT https://community.splunk.com/t5/Splunk-Search/How-to-maintain-latest-value-for-multiple-values-of-a-field/m-p/534488#M151045 timbilt 2020-12-30T14:46:39Z https://community.splunk.com/t5/Splunk-Search/How-to-maintain-latest-value-for-multiple-values-of-a-field/m-p/534543#M151059 <LI-CODE lang="markup">|makeresults | eval _raw="HOST VALUE Host1 1 Host2 4 Host3 2 Host2 7 Host3 5 Host1 8" | multikv forceheader=1 | table HOST VALUE | rename COMMENT as "this is your sample. from here, the logic" | reverse | streamstats count | reverse | eval tmp=count."_".HOST."_".VALUE | streamstats values(tmp) as tmp | streamstats count as session | mvexpand tmp | rex field=tmp "\d_(?&lt;HOST&gt;\w+)_(?&lt;VALUE&gt;\d)" | streamstats first(VALUE) as VALUE by session HOST | eval tmp2=HOST."-".VALUE | streamstats first(HOST) as HOST first(VALUE) as VALUE values(tmp2) as LATEST by session | stats values(LATEST) as LATEST by session HOST VALUE delim="," | fields - session | nomv LATEST</LI-CODE> Thu, 31 Dec 2020 08:37:14 GMT https://community.splunk.com/t5/Splunk-Search/How-to-maintain-latest-value-for-multiple-values-of-a-field/m-p/534543#M151059 to4kawa 2020-12-31T08:37:14Z