How can I fetch the latest values?

smanojkumar · ‎04-28-2023

Hi There,

Im having several fields and multiple values for same src_name and email, I need latest date in check_date and its associated values for that respective src_name, these things are there in lookup, so I need those data of latest in check_date for that specific src_name,

richgalloway · ‎04-28-2023

Perhaps this will help.

<<your current search for events>>
| eventstats latest(check_date) as max_check_date by src_name
| where check_date=max_check_date
| fields - max_check_date

---
If this reply helps you, Karma would be appreciated.

smanojkumar · ‎05-01-2023

Hi @richgalloway !

Thanks for your resposne,

The field max_check_date is not working as expected, it is not calculating the values, Here the samples of check_date

Thanks in Advance!

richgalloway · ‎05-01-2023

Thanks for that information. This query may work better. It converts check_date into an integer before computing the max value.

<<your current search for events>>
| eval i_check_date = strptime(check_date, "%d/%m/%Y")
| eventstats latest(i_check_date) as max_check_date by src_name
| where i_check_date=max_check_date
| fields - max_check_date i_check_date

---
If this reply helps you, Karma would be appreciated.

How can I fetch the latest values?

search

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!