Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do you get the latest time entry from a datetime field value?

darshana2511
New Member
‎11-13-2018 02:59 AM

I have one field value as a datetime field, and I want the data of only the latest time. How can I write this query?
My current search is:

index="ad_dns_new" sourcetype="resolve_json"|eval k=strptime(DateTime,"%Y-%m-%dT%H:%M:%S")|eval New_Date=strftime(k,"%d-%m-%Y %H:%M:%S") | table HealthCheck,Result,New_Date,Customer|chart values(Result) as Result over HealthCheck by New_Date

I am attaching an image of my current output. From that, I want data of 11th nov 15:36:57.

How can I do that?

I look forward to hearing from you.
alt text

Preview file
15 KB
0 Karma
Reply

kmaron
Motivator
‎11-13-2018 09:53 AM

adding limit=1 will limit your results to 1 date and useother=0 will stop it from grouping everything else into an 'other' category. 

index="ad_dns_new" sourcetype="resolve_json" 
| eval k=strptime(DateTime,"%Y-%m-%dT%H:%M:%S") 
| eval New_Date=strftime(k,"%d-%m-%Y %H:%M:%S") 
| table HealthCheck,Result,New_Date,Customer 
| sort - New_Date
| chart values(Result) as Result over HealthCheck by New_Date limit=1 useother=0
0 Karma
Reply

darshana2511
New Member
‎11-14-2018 06:51 AM

limit does not work with my query. as I have multiple date values as column names

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...