Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Find latest date for a record

Stephen11
Explorer
‎08-21-2020 02:26 PM

Tried  a couple of functions ... nothing easy...

Example (index=XXX) AND event="XXXXXX" | eval tim =strftime(_time,"%m/%d/%Y") | eventstats max(tim) as maxDate| stats count by dvchost, maxDate

I need to figure out how to find the most recent records....  code does not work... looked at other ways to do it .... nothing easy... help

 

0 Karma
Reply

Nisha18789
Builder
‎08-21-2020 02:39 PM

Hi @Stephen11 , please try this

 (index=XXX) AND event="XXXXXX" | stats latest(_time) as latestDate  by dvchost

|eval latestDate =strftime(latestDate ,"%m/%d/%Y")

 

Hope this helps!

Please upvote my response if this resolves the issue.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-23-2020 03:12 AM

Hi

you should check also stat latest_time(_time) to see which one is the correct function for this time. Time by time those two gives different value. 
r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...