https://community.splunk.com/t5/Splunk-Search/find-the-latest-field-only-from-multiple-output/m-p/535473#M151334 <P>I have a query like below :</P><P>bla bla ...| lookup mylookupfile.csv Hostname as Name output Status Creation_Date<BR />| eval Status=MVDEDUP(Status) |eval Creation_Date=mvindex(Creation_Date,-1)| then rest of my query</P><P>Here issue happens when while matching for the Hostname i get two Status values&nbsp;</P><P>So above query gives me output where :&nbsp;</P><P>1) i am getting Creation_Date field as the latest date only</P><P>2) But Status i am receiving both Active and Destroyed</P><P>i want to get in Status field only the corresponding value of Status for latest(Creation_Date)</P><P>How can i do that</P> Tue, 12 Jan 2021 12:56:22 GMT surekhasplunk 2021-01-12T12:56:22Z https://community.splunk.com/t5/Splunk-Search/find-the-latest-field-only-from-multiple-output/m-p/535473#M151334 <P>I have a query like below :</P><P>bla bla ...| lookup mylookupfile.csv Hostname as Name output Status Creation_Date<BR />| eval Status=MVDEDUP(Status) |eval Creation_Date=mvindex(Creation_Date,-1)| then rest of my query</P><P>Here issue happens when while matching for the Hostname i get two Status values&nbsp;</P><P>So above query gives me output where :&nbsp;</P><P>1) i am getting Creation_Date field as the latest date only</P><P>2) But Status i am receiving both Active and Destroyed</P><P>i want to get in Status field only the corresponding value of Status for latest(Creation_Date)</P><P>How can i do that</P> Tue, 12 Jan 2021 12:56:22 GMT https://community.splunk.com/t5/Splunk-Search/find-the-latest-field-only-from-multiple-output/m-p/535473#M151334 surekhasplunk 2021-01-12T12:56:22Z https://community.splunk.com/t5/Splunk-Search/find-the-latest-field-only-from-multiple-output/m-p/535490#M151343 <P>If I understand the problem correctly then this should help.</P><LI-CODE lang="markup">bla bla ...| lookup mylookupfile.csv Hostname as Name output Status Creation_Date | eval created = strptime(Creation_Date, "format string that matches the date format") | sort 1000 - created | fields - created | head 1 | then rest of my query</LI-CODE><P>&nbsp;The lookup file already associates Status with Creation_Date so all the query needs to do is find the most recent Creation_Date value.&nbsp; We do that by converting the Creation_Date field to epoch form (assuming it is not already an epoch) then sorting the dates in descending order.&nbsp; The first event in the results is the latest date.</P> Tue, 12 Jan 2021 14:58:46 GMT https://community.splunk.com/t5/Splunk-Search/find-the-latest-field-only-from-multiple-output/m-p/535490#M151343 richgalloway 2021-01-12T14:58:46Z