How do you get the latest time entry from a dateti...

darshana2511 · ‎11-13-2018

I have one field value as a datetime field, and I want the data of only the latest time. How can I write this query?
My current search is:

index="ad_dns_new" sourcetype="resolve_json"|eval k=strptime(DateTime,"%Y-%m-%dT%H:%M:%S")|eval New_Date=strftime(k,"%d-%m-%Y %H:%M:%S") | table HealthCheck,Result,New_Date,Customer|chart values(Result) as Result over HealthCheck by New_Date

I am attaching an image of my current output. From that, I want data of 11th nov 15:36:57.

How can I do that?

I look forward to hearing from you.

kmaron · ‎11-13-2018

adding limit=1 will limit your results to 1 date and useother=0 will stop it from grouping everything else into an 'other' category.

index="ad_dns_new" sourcetype="resolve_json" 
| eval k=strptime(DateTime,"%Y-%m-%dT%H:%M:%S") 
| eval New_Date=strftime(k,"%d-%m-%Y %H:%M:%S") 
| table HealthCheck,Result,New_Date,Customer 
| sort - New_Date
| chart values(Result) as Result over HealthCheck by New_Date limit=1 useother=0

darshana2511 · ‎11-14-2018

limit does not work with my query. as I have multiple date values as column names

How do you get the latest time entry from a datetime field value?

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?

How do you get the latest time entry from a datetime field value?

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR