Archive

How do you display a count based from the latest timestamp?

Explorer

Hello, I'm new with Splunk and need some help.

I need to filter my data to only count the status of the latest time stamp for each ID.

I've a data set with 3 columns
ID, status, timestamp
1001, A, 11:12pm - should not count
1001, B, 11:13pm - should count
2002, A, 11:10pm - should not count
2002, A, 11:14pm - should count
3003, A, 11:11pm - should count

My dashboard should display
Status, Count
A, 2
B, 1

0 Karma
1 Solution

@ ejespiritu,

Try this approach ..

| makeresults
| eventstats latest(_time) as latest_timestamp by status
| where _time = latest_timestamp
| stats count(ID) by status 

View solution in original post

0 Karma

@ ejespiritu,

Try this approach ..

| makeresults
| eventstats latest(_time) as latest_timestamp by status
| where _time = latest_timestamp
| stats count(ID) by status 

View solution in original post

0 Karma