topic Re: Display Last Event Time in Stats function in Splunk Search

Display Last Event Time in Stats function

shangshin — Mon, 28 Sep 2020 12:18:40 GMT

Hi,
I would like to display the last event time when using stats function. the following search string works but the time is not human readable. I tried to use the convert function strftime(last(_time), "%m/%d %H:%M:%S") but it's not working.

I would sppreciate if anyone could shed some light on this. Thanks!

stats max(time_in_sec), min(time_in_sec), avg(time_in_sec), last(_time) by url

Re: Display Last Event Time in Stats function

hexx — Wed, 22 Aug 2012 14:59:36 GMT

Since you want to display the time stamp of the most recent event in the results, I would recommend using latest() instead of last(). Consider the following definition of latest():

latest(X)    This function returns the chronologically latest seen occurrence of a value of a field X.

Anyway, I here is the suggested search string:

... | stats max(time_in_sec), min(time_in_sec), avg(time_in_sec), latest(_time) AS latest_time by url | convert ctime(latest_time)

Re: Display Last Event Time in Stats function

alacercogitatus — Mon, 28 Sep 2020 12:18:48 GMT

I like the answer.

Shangshin, just note that latest is a function of stats only in Splunk versions past 4.3. If you have <4.3, try "| stats max(time_in_sec), min(time_in_sec) avg(time_in_sec), first(_time) as latest_time by url | convert ctime(latest_time)"

Re: Display Last Event Time in Stats function

shangshin — Wed, 22 Aug 2012 20:03:52 GMT

Thanks for the info. My splunk version is 4.3.1 but the function, latest, seems not working.