https://community.splunk.com/t5/Splunk-Search/Retrieving-latest-timestamp-from-CSV-file-such-that-it-is/m-p/133647#M36499 <P>If I choose a smaller time range, example: 29 April - 2 May, then I always see two MAC addresses. So, setting up minspan is not enough or am I missing something?</P> Wed, 03 Jun 2015 07:24:00 GMT andra_pietraru 2015-06-03T07:24:00Z https://community.splunk.com/t5/Splunk-Search/Retrieving-latest-timestamp-from-CSV-file-such-that-it-is/m-p/133643#M36495 <P>Hello,</P> <P>I am using lookups to get some metadata from a CSV file that also has timestamps. </P> <P>How could I retrieve the latest (maximum) timestamp from the CSV such that it is smaller than the event time? Is there any command that can do that? I tried stats and max, but that only finds the maximum without taking into consideration the second condition.<BR /> Thanks in advance!</P> Tue, 02 Jun 2015 11:23:38 GMT https://community.splunk.com/t5/Splunk-Search/Retrieving-latest-timestamp-from-CSV-file-such-that-it-is/m-p/133643#M36495 andra_pietraru 2015-06-02T11:23:38Z https://community.splunk.com/t5/Splunk-Search/Retrieving-latest-timestamp-from-CSV-file-such-that-it-is/m-p/133644#M36496 <P>No one command can do that. Filter first for smaller times then look for max. Something like <CODE>... | where csvTime &lt; _time | stats max(csvTime) | ...</CODE>.</P> Tue, 02 Jun 2015 12:14:16 GMT https://community.splunk.com/t5/Splunk-Search/Retrieving-latest-timestamp-from-CSV-file-such-that-it-is/m-p/133644#M36496 richgalloway 2015-06-02T12:14:16Z https://community.splunk.com/t5/Splunk-Search/Retrieving-latest-timestamp-from-CSV-file-such-that-it-is/m-p/133645#M36497 <P>Just to make it more clear: based on IP addresses I retrieve MAC addresses and timestamps from the CSV file. I will retrieve several timestamps for each IP address. What I want to achieve is to make a timechart where I can see the MAC addresses in time. So, for example, if I have 2 MAC address with timestamp 1st of April and then I have only one MAC address with timestamp 1st of May for IP "::1", I want to see that in the timechart. Hence, from 1st April to 1st May IP "::1" should have two MAC addresses and starting 1st of May only one MAC address.<BR /> Do you have any suggestions? Thanks</P> Tue, 02 Jun 2015 12:42:17 GMT https://community.splunk.com/t5/Splunk-Search/Retrieving-latest-timestamp-from-CSV-file-such-that-it-is/m-p/133645#M36497 andra_pietraru 2015-06-02T12:42:17Z https://community.splunk.com/t5/Splunk-Search/Retrieving-latest-timestamp-from-CSV-file-such-that-it-is/m-p/133646#M36498 <P>Get the data from the CSV, but don't worry about smaller times. Let the bucketing feature of the timechart command handle that for you. Something like <CODE>... | timechart minspan=1mon count by MAC</CODE>.</P> Tue, 02 Jun 2015 13:10:09 GMT https://community.splunk.com/t5/Splunk-Search/Retrieving-latest-timestamp-from-CSV-file-such-that-it-is/m-p/133646#M36498 richgalloway 2015-06-02T13:10:09Z https://community.splunk.com/t5/Splunk-Search/Retrieving-latest-timestamp-from-CSV-file-such-that-it-is/m-p/133647#M36499 <P>If I choose a smaller time range, example: 29 April - 2 May, then I always see two MAC addresses. So, setting up minspan is not enough or am I missing something?</P> Wed, 03 Jun 2015 07:24:00 GMT https://community.splunk.com/t5/Splunk-Search/Retrieving-latest-timestamp-from-CSV-file-such-that-it-is/m-p/133647#M36499 andra_pietraru 2015-06-03T07:24:00Z https://community.splunk.com/t5/Splunk-Search/Retrieving-latest-timestamp-from-CSV-file-such-that-it-is/m-p/133648#M36500 <P>You may indeed be missing something, but I don't know what that would be. <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Wed, 03 Jun 2015 15:44:03 GMT https://community.splunk.com/t5/Splunk-Search/Retrieving-latest-timestamp-from-CSV-file-such-that-it-is/m-p/133648#M36500 richgalloway 2015-06-03T15:44:03Z