https://community.splunk.com/t5/Splunk-Search/Need-to-extract-latest-value-from-multiple-matches/m-p/21076#M177328 <P>replace </P> <PRE><CODE>| table feed dailypeak _time </CODE></PRE> <P>with </P> <PRE><CODE>| stats max(_time) as _time by feed dailypeak </CODE></PRE> Thu, 02 May 2013 14:14:15 GMT jonuwz 2013-05-02T14:14:15Z https://community.splunk.com/t5/Splunk-Search/Need-to-extract-latest-value-from-multiple-matches/m-p/21075#M177327 <P>Hello, The following query results in multiple results when the where condition(where msgdiff=dailypeak) is met but I want just latest result, please help?</P> <PRE><CODE>index="ContentGateway" sourcetype=Messagestats host="cg1-e-fid-bos-l1" | streamstats current=t window=2 global=f allnum=t range(Messages) as msgdiff by host source | eval msgdiff=msgdiff/5 | rex field=source "/home/activ/ContentGateway/log/updates/MessageStatistics.(?&lt;feed&gt;\w*(?!\d)\w)" | bin _time span=5s | stats sum(msgdiff) as msgdiff by _time feed | eventstats max(msgdiff) as dailypeak by feed | where msgdiff=dailypeak | table feed dailypeak _time </CODE></PRE> <P>thanks,<BR /> Thiru.</P> Wed, 01 May 2013 15:27:03 GMT https://community.splunk.com/t5/Splunk-Search/Need-to-extract-latest-value-from-multiple-matches/m-p/21075#M177327 thiru25 2013-05-01T15:27:03Z https://community.splunk.com/t5/Splunk-Search/Need-to-extract-latest-value-from-multiple-matches/m-p/21076#M177328 <P>replace </P> <PRE><CODE>| table feed dailypeak _time </CODE></PRE> <P>with </P> <PRE><CODE>| stats max(_time) as _time by feed dailypeak </CODE></PRE> Thu, 02 May 2013 14:14:15 GMT https://community.splunk.com/t5/Splunk-Search/Need-to-extract-latest-value-from-multiple-matches/m-p/21076#M177328 jonuwz 2013-05-02T14:14:15Z