Archive
Highlighted

Last record per hour

New Member

I manage to extract the data from Splunk below:
ID SignalStrength TimeStamp
01 3 09:00:05
01 0 09:30:00
02 0 09:00:05
02 0 09:30:00
02 3 09:55:00

But I wanted to reduce it further to only get the last record in the hour, like this:
ID SignalStrength TimeStamp
01 0 09:30:00
02 3 09:55:00

I tried this:
| stats max(Timestamp) by ID, SignalStrength

but it gave me the maximum on the day not per hour.

Tags (1)
0 Karma
Highlighted

Re: Last record per hour

Influencer

Try this:

| bin _time span=1h | stats max(Timestamp) by ID, SignalStrength, _time
0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.