Solved: How to get the latest timestamp by host?

ppatkar · ‎05-28-2019

I need to list all the hosts with their latest Splunk event timestamps in YYYY-MMM-DD HH24:MI:SS format .
Below seems to be suffice , however I am unable to change the date & time format for required results :

tstats latest(_time) where index=abc by host

Any help or insights is appreciated.

DavidHourani · ‎05-28-2019

Hi @ppatkar,

Does something like this work for you ?

| tstats latest(_time) AS _time where index=abc by host | eval _time=strftime(_time,"%m/%d/%y %H:%M:%S")

Cheers,
David

View solution in original post

DavidHourani · ‎05-28-2019

Hi @ppatkar,

Does something like this work for you ?

| tstats latest(_time) AS _time where index=abc by host | eval _time=strftime(_time,"%m/%d/%y %H:%M:%S")

Cheers,
David

ppatkar · ‎05-28-2019

Thanks David, after searching for similar posts could manage the below :

| tstats latest(_time) AS latest where index=abc by host | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(latest)

DavidHourani · ‎05-28-2019

awesome, glad to know you found a solution !

How to get the latest timestamp by host?

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Index This | What goes away as soon as you talk about it?

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025

Are you a member of the Splunk Community?

How to get the latest timestamp by host?

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Index This | What goes away as soon as you talk about it?

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025