Getting Data In

How do you get the latest time entry from a datetime field value?

darshana2511
New Member

I have one field value as a datetime field, and I want the data of only the latest time. How can I write this query?
My current search is:

index="ad_dns_new" sourcetype="resolve_json"|eval k=strptime(DateTime,"%Y-%m-%dT%H:%M:%S")|eval New_Date=strftime(k,"%d-%m-%Y %H:%M:%S") | table HealthCheck,Result,New_Date,Customer|chart values(Result) as Result over HealthCheck by New_Date

I am attaching an image of my current output. From that, I want data of 11th nov 15:36:57.

How can I do that?

I look forward to hearing from you.
alt text

0 Karma

kmaron
Motivator

adding limit=1 will limit your results to 1 date and useother=0 will stop it from grouping everything else into an 'other' category.

index="ad_dns_new" sourcetype="resolve_json" 
| eval k=strptime(DateTime,"%Y-%m-%dT%H:%M:%S") 
| eval New_Date=strftime(k,"%d-%m-%Y %H:%M:%S") 
| table HealthCheck,Result,New_Date,Customer 
| sort - New_Date
| chart values(Result) as Result over HealthCheck by New_Date limit=1 useother=0
0 Karma

darshana2511
New Member

limit does not work with my query. as I have multiple date values as column names

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...

SplunkTrust | 2024 SplunkTrust Application Period is Open!

It's that time again, folks! That's right, the application/nomination period for the 2024 SplunkTrust is ...