Getting Time of last occurrence of a sbstring

siddharthmis · ‎06-18-2017

I have events like below in a log file-

06/18/2017 22:35:10,Message="Finished Cleanup"
06/18/2017 22:57:02,Message="Finished Cleanup"
06/18/2017 22:57:02,Message="Finished Cleanup"

I want to extract (only) the time "06/18/2017 22:57" i.e. the time of last occurrence.

I used-

source="**"  Message="Finished Cleanup" |  stats max(_time) as time by Message  | eval End_Time=strftime(time,"%m/%d/%Y %H:%M")

But stats is not helping as I only want the time stamp.
How can I get time stamp only.

inventsekar · ‎06-20-2017

Hi siddharthmis, may we know if this is working fine now? can you please mark this as completed

inventsekar · ‎06-19-2017

maybe, try - tail 1 --- to get the oldest event and then a rex to extract the timestamp.

( "tail 1" worked the opposite way around, replace it with "head 1" )

source="**" Message="Finished Cleanup" | tail 1 | rex field=_raw "^(?<DateTime>\d+\/\d+\/\d+\s+\d+:\d+:\d+)" | table DateTime _raw

dineshraj9 · ‎06-18-2017

You are filtering out based on the Message field, so you don't need to use it with stats command -

 source="**"  Message="Finished Cleanup" |  stats max(_time) as time | eval End_Time=strftime(time,"%m/%d/%Y %T")

Also you are filter fields using the fields command.