Solved: How to get the latest timestamp by host?

ppatkar · ‎05-28-2019

I need to list all the hosts with their latest Splunk event timestamps in YYYY-MMM-DD HH24:MI:SS format .
Below seems to be suffice , however I am unable to change the date & time format for required results :

tstats latest(_time) where index=abc by host

Any help or insights is appreciated.

DavidHourani · ‎05-28-2019

Hi @ppatkar,

Does something like this work for you ?

| tstats latest(_time) AS _time where index=abc by host | eval _time=strftime(_time,"%m/%d/%y %H:%M:%S")

Cheers,
David

View solution in original post

DavidHourani · ‎05-28-2019

Hi @ppatkar,

Does something like this work for you ?

| tstats latest(_time) AS _time where index=abc by host | eval _time=strftime(_time,"%m/%d/%y %H:%M:%S")

Cheers,
David

ppatkar · ‎05-28-2019

Thanks David, after searching for similar posts could manage the below :

| tstats latest(_time) AS latest where index=abc by host | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(latest)

DavidHourani · ‎05-28-2019

awesome, glad to know you found a solution !

How to get the latest timestamp by host?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation