How do you get the latest time entry from a dateti... - Splunk Community

Getting Data In

I have one field value as a datetime field, and I want the data of only the latest time. How can I write this query?
My current search is:

index="ad_dns_new" sourcetype="resolve_json"|eval k=strptime(DateTime,"%Y-%m-%dT%H:%M:%S")|eval New_Date=strftime(k,"%d-%m-%Y %H:%M:%S") | table HealthCheck,Result,New_Date,Customer|chart values(Result) as Result over HealthCheck by New_Date

I am attaching an image of my current output. From that, I want data of 11th nov 15:36:57.

How can I do that?

I look forward to hearing from you.

15 KB

adding limit=1 will limit your results to 1 date and useother=0 will stop it from grouping everything else into an 'other' category.

index="ad_dns_new" sourcetype="resolve_json" 
| eval k=strptime(DateTime,"%Y-%m-%dT%H:%M:%S") 
| eval New_Date=strftime(k,"%d-%m-%Y %H:%M:%S") 
| table HealthCheck,Result,New_Date,Customer 
| sort - New_Date
| chart values(Result) as Result over HealthCheck by New_Date limit=1 useother=0

limit does not work with my query. as I have multiple date values as column names

Get Updates on the Splunk Community!

Event Series: Splunk Observability Metrics Cost Optimization

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...