https://community.splunk.com/t5/Splunk-Search/How-can-I-get-the-latest-event-by-a-specific-field/m-p/239642#M71183 <P>Note, <CODE>latest()</CODE> goes by the <CODE>_time</CODE> value extracted from the event, not by what was last indexed. Usually _time is what you want though.</P> Sat, 26 Nov 2016 23:54:34 GMT martin_mueller 2016-11-26T23:54:34Z https://community.splunk.com/t5/Splunk-Search/How-can-I-get-the-latest-event-by-a-specific-field/m-p/239633#M71174 <P>Hello,</P> <P>I have the following event data:</P> <PRE><CODE>City,Date,Temp,Sky New York,2016-11-10,20,Clear New York,2016-11-10-19,Cloudy San Francisco,2016-11-20,20,Clear San Francisco,2016-11-19,18,Rain Rome,2016-11-20,11,Rain Rome,2016-11-19,10,Partly Cloudy </CODE></PRE> <P>What I would like to do is get the latest event for each city, so I have results:</P> <PRE><CODE>City,Date,Temp,Sky New York,2016-11-10,20,Clear San Francisco,2016-11-20,20,Clear Rome,2016-11-20,11,Rain </CODE></PRE> <P>I have tried</P> <P>stats first(City) by City</P> <P>But this just gives me a list that I cannot use. Any help would be great!</P> <P>Thank you!</P> <P>Andrew</P> Sat, 26 Nov 2016 16:08:01 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-get-the-latest-event-by-a-specific-field/m-p/239633#M71174 andrewtrobec 2016-11-26T16:08:01Z https://community.splunk.com/t5/Splunk-Search/How-can-I-get-the-latest-event-by-a-specific-field/m-p/239634#M71175 <P>Hi andrewtrobec,<BR /> you have to try with </P> <PRE><CODE>stats latest(City) by City </CODE></PRE> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/CommonStatsFunctions">http://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/CommonStatsFunctions</A></P> <P>Bye.<BR /> Giuseppe</P> Sat, 26 Nov 2016 16:59:50 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-get-the-latest-event-by-a-specific-field/m-p/239634#M71175 gcusello 2016-11-26T16:59:50Z https://community.splunk.com/t5/Splunk-Search/How-can-I-get-the-latest-event-by-a-specific-field/m-p/239635#M71176 <P>... | stats latest(_raw) latest(temp) latest(sky) by City</P> <P>Remove whatever you don't want.</P> Sat, 26 Nov 2016 18:10:13 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-get-the-latest-event-by-a-specific-field/m-p/239635#M71176 jkat54 2016-11-26T18:10:13Z https://community.splunk.com/t5/Splunk-Search/How-can-I-get-the-latest-event-by-a-specific-field/m-p/239636#M71177 <P>Thanks! What is the difference between your suggestion and what I was able to get working:</P> <PRE><CODE>| dedup City | table City, Date, Temp, Sky </CODE></PRE> <P>?</P> Sat, 26 Nov 2016 18:18:35 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-get-the-latest-event-by-a-specific-field/m-p/239636#M71177 andrewtrobec 2016-11-26T18:18:35Z https://community.splunk.com/t5/Splunk-Search/How-can-I-get-the-latest-event-by-a-specific-field/m-p/239637#M71178 <P>The <CODE>dedup</CODE> command passes all fields to the next command whereas the <CODE>stats</CODE> command only passes the stats it calculates and the fields following the <CODE>by</CODE> keyword.</P> Sat, 26 Nov 2016 20:53:28 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-get-the-latest-event-by-a-specific-field/m-p/239637#M71178 richgalloway 2016-11-26T20:53:28Z https://community.splunk.com/t5/Splunk-Search/How-can-I-get-the-latest-event-by-a-specific-field/m-p/239638#M71179 <P>Additionally, <CODE>dedup</CODE> goes by event order while <CODE>latest()</CODE> goes by <CODE>_time</CODE> order.</P> Sat, 26 Nov 2016 21:16:39 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-get-the-latest-event-by-a-specific-field/m-p/239638#M71179 martin_mueller 2016-11-26T21:16:39Z https://community.splunk.com/t5/Splunk-Search/How-can-I-get-the-latest-event-by-a-specific-field/m-p/239639#M71180 <P>Thanks, that makes sense. In my case I don't want all fields to pass on, so I suppose it's more efficient to use the <CODE>stats</CODE> command.</P> Sat, 26 Nov 2016 23:30:28 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-get-the-latest-event-by-a-specific-field/m-p/239639#M71180 andrewtrobec 2016-11-26T23:30:28Z https://community.splunk.com/t5/Splunk-Search/How-can-I-get-the-latest-event-by-a-specific-field/m-p/239640#M71181 <P>Thanks for the clarification. It that case I want to use <CODE>stats</CODE> with <CODE>last</CODE> since I want the last event (most recently indexed).</P> Sat, 26 Nov 2016 23:32:12 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-get-the-latest-event-by-a-specific-field/m-p/239640#M71181 andrewtrobec 2016-11-26T23:32:12Z https://community.splunk.com/t5/Splunk-Search/How-can-I-get-the-latest-event-by-a-specific-field/m-p/239641#M71182 <P>Also note that first and last can be manipulated using sort prior to the stats command and therefore they are not meant for use when you want the latest or earliest event. You really do want to insure your timeStamping is good and then use latest(). That's my final answer <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Sat, 26 Nov 2016 23:48:29 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-get-the-latest-event-by-a-specific-field/m-p/239641#M71182 jkat54 2016-11-26T23:48:29Z https://community.splunk.com/t5/Splunk-Search/How-can-I-get-the-latest-event-by-a-specific-field/m-p/239642#M71183 <P>Note, <CODE>latest()</CODE> goes by the <CODE>_time</CODE> value extracted from the event, not by what was last indexed. Usually _time is what you want though.</P> Sat, 26 Nov 2016 23:54:34 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-get-the-latest-event-by-a-specific-field/m-p/239642#M71183 martin_mueller 2016-11-26T23:54:34Z