Getting Data In

How do you get the latest time entry from a datetime field value?

darshana2511
New Member

I have one field value as a datetime field, and I want the data of only the latest time. How can I write this query?
My current search is:

index="ad_dns_new" sourcetype="resolve_json"|eval k=strptime(DateTime,"%Y-%m-%dT%H:%M:%S")|eval New_Date=strftime(k,"%d-%m-%Y %H:%M:%S") | table HealthCheck,Result,New_Date,Customer|chart values(Result) as Result over HealthCheck by New_Date

I am attaching an image of my current output. From that, I want data of 11th nov 15:36:57.

How can I do that?

I look forward to hearing from you.
alt text

0 Karma

kmaron
Motivator

adding limit=1 will limit your results to 1 date and useother=0 will stop it from grouping everything else into an 'other' category.

index="ad_dns_new" sourcetype="resolve_json" 
| eval k=strptime(DateTime,"%Y-%m-%dT%H:%M:%S") 
| eval New_Date=strftime(k,"%d-%m-%Y %H:%M:%S") 
| table HealthCheck,Result,New_Date,Customer 
| sort - New_Date
| chart values(Result) as Result over HealthCheck by New_Date limit=1 useother=0
0 Karma

darshana2511
New Member

limit does not work with my query. as I have multiple date values as column names

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...