topic Re: Latest data within a time span. I have a query as below, but I would like to get the latest data for a field within in Splunk Search

How to create a query as below, but I would like to get the latest data for a field within span?

vgiri8 — Fri, 12 Aug 2022 15:19:37 GMT

Latest data within a time span. I have a query as below, but I would like to get the latest data for a field within span of 1w.

index=my_index | timechart span=1w estdc(host) by site

I would like to get the latest data for field "encrypted=false" within the span=1w for all host by site

Edit: encrypted=false changed from true

Edit 2:
Summary of What I am trying to get as clearly articulated by @ITWhisperer
"So my guess was right - this is what the search is basically doing

For each week, it gets the latest encryption state for each host on each site

Then keeps only those statistics where the state is false

Then counts to events (one for each host with encryption false for that week) by week and site"

Finally, it reorganises the data into chart format.

Re: Latest data within a time span. I have a query as below, but I would like to get the latest data for a field within

ITWhisperer — Fri, 12 Aug 2022 09:08:24 GMT

Do you mean something like this?

index=my_index | where encrypted="true" | timechart span=1w estdc(host) by site

Re: Latest data within a time span. I have a query as below, but I would like to get the latest data for a field within

vgiri8 — Fri, 12 Aug 2022 09:38:09 GMT

Hi @ITWhisperer ,

I am searching for encrypted=false. So changing the below example to reflect that ( Sorry for the confusion in the Original post)

If I add. // where encrypted="false". // early in the query, search will only look for encrypted=false and not the latest results for a given host, which could change within the span time frame(span=1w) and then I would get the count of the host which have encrypted= false, but that is not correct count. I mean I would get the results for all encrypted=false within the span but not the latest state within the time frame.

Re: Latest data within a time span. I have a query as below, but I would like to get the latest data for a field within

vgiri8 — Fri, 12 Aug 2022 09:42:52 GMT

I currently use this to get the data for list of host, this query only gives me the latest data of host.

index=my_index | stats latest(encrypted) AS Encrypted BY host | where Encrypted="false"

Re: Latest data within a time span. I have a query as below, but I would like to get the latest data for a field within

ITWhisperer — Fri, 12 Aug 2022 09:46:44 GMT

Do you mean something like this?

index=my_index | bin _time as week span=1w | stats latest(encrypted) as encrypted by week host site

Re: Latest data within a time span. I have a query as below, but I would like to get the latest data for a field within

vgiri8 — Fri, 12 Aug 2022 09:56:35 GMT

Hi @ITWhisperer ,

I am still looking for trend chart to show, thats why I am using timechart with the count of host per site per week

Re: Latest data within a time span. I have a query as below, but I would like to get the latest data for a field within

ITWhisperer — Fri, 12 Aug 2022 10:04:07 GMT

I am still not sure what it is you are trying to show, but here is my next guess

Re: Latest data within a time span. I have a query as below, but I would like to get the latest data for a field within

vgiri8 — Fri, 12 Aug 2022 10:04:39 GMT

index=my_index encrypted=false | timechart span=1w estdc(host) by site

How do I get the latest encrypted data which is false , removing encrypted=false from the main search.

Re: Latest data within a time span. I have a query as below, but I would like to get the latest data for a field within

vgiri8 — Fri, 12 Aug 2022 10:06:56 GMT

I am trying to get a trend chart per site per week, for all host which had encryption=false within a given week.

Basically trying to see the trend and check if we are improving week by week in encryption=false, basically needs to reduce.

I am sorry If I was not clear before.

Re: Latest data within a time span. I have a query as below, but I would like to get the latest data for a field within

ITWhisperer — Fri, 12 Aug 2022 10:16:28 GMT

So my guess was right - this is what the search is basically doing

For each week, it gets the latest encryption state for each host on each site

Then keeps only those statistics where the state is false

Then counts to events (one for each host with encryption false for that week) by week and site

Finally, it reorganises the data into chart format.

Re: Latest data within a time span. I have a query as below, but I would like to get the latest data for a field within

vgiri8 — Fri, 12 Aug 2022 10:22:57 GMT

Yes you are correct.

I have one last question, how do I change the week to more readable format from current in the screenshot. I can do eval, but where do I add it in the query?

Re: Latest data within a time span. I have a query as below, but I would like to get the latest data for a field within

ITWhisperer — Fri, 12 Aug 2022 10:34:14 GMT

Re: Latest data within a time span. I have a query as below, but I would like to get the latest data for a field within

vgiri8 — Fri, 12 Aug 2022 10:46:15 GMT

Hi @ITWhisperer ,

Finally seeing data as required. I had few questions,

I feel to do this, so that I only get single count per host, since I could have multiple entries in a week for the same host, if I use "count by _time"

| stats count by _time site

replace it with

| stats dc(host) by site

your thoughts

Re: Latest data within a time span. I have a query as below, but I would like to get the latest data for a field within

ITWhisperer — Fri, 12 Aug 2022 12:29:29 GMT

stats dc(host) by site gives you the count of distinct hosts per site

stats count by host site gives a statistics event per unique site - effectively this is a distinct event for each host so by counting the statistics events from the first stats you get the same as the dc(host).

Re: Latest data within a time span. I have a query as below, but I would like to get the latest data for a field within

vgiri8 — Fri, 12 Aug 2022 14:35:36 GMT

Thank you so much @ITWhisperer