topic Re: Getting Time of last occurrence of a sbstring in Splunk Search

Getting Time of last occurrence of a sbstring

siddharthmis — Mon, 19 Jun 2017 04:25:18 GMT

I have events like below in a log file-

06/18/2017 22:35:10,Message="Finished Cleanup"
06/18/2017 22:57:02,Message="Finished Cleanup"
06/18/2017 22:57:02,Message="Finished Cleanup"

I want to extract (only) the time "06/18/2017 22:57" i.e. the time of last occurrence.

I used-

source="**"  Message="Finished Cleanup" |  stats max(_time) as time by Message  | eval End_Time=strftime(time,"%m/%d/%Y %H:%M")

But stats is not helping as I only want the time stamp.
How can I get time stamp only.

dineshraj9 — Mon, 19 Jun 2017 05:34:35 GMT

You are filtering out based on the Message field, so you don't need to use it with stats command -

 source="**"  Message="Finished Cleanup" |  stats max(_time) as time | eval End_Time=strftime(time,"%m/%d/%Y %T")

Also you are filter fields using the fields command.

inventsekar — Mon, 19 Jun 2017 09:02:01 GMT

maybe, try - tail 1 --- to get the oldest event and then a rex to extract the timestamp.

( "tail 1" worked the opposite way around, replace it with "head 1" )

source="**" Message="Finished Cleanup" | tail 1 | rex field=_raw "^(?<DateTime>\d+\/\d+\/\d+\s+\d+:\d+:\d+)" | table DateTime _raw

inventsekar — Wed, 21 Jun 2017 00:02:55 GMT

Hi siddharthmis, may we know if this is working fine now? can you please mark this as completed