Solved: How to get the latest timestamp by host?

ppatkar · ‎05-28-2019

I need to list all the hosts with their latest Splunk event timestamps in YYYY-MMM-DD HH24:MI:SS format .
Below seems to be suffice , however I am unable to change the date & time format for required results :

tstats latest(_time) where index=abc by host

Any help or insights is appreciated.

DavidHourani · ‎05-28-2019

Hi @ppatkar,

Does something like this work for you ?

| tstats latest(_time) AS _time where index=abc by host | eval _time=strftime(_time,"%m/%d/%y %H:%M:%S")

Cheers,
David

View solution in original post

DavidHourani · ‎05-28-2019

Hi @ppatkar,

Does something like this work for you ?

| tstats latest(_time) AS _time where index=abc by host | eval _time=strftime(_time,"%m/%d/%y %H:%M:%S")

Cheers,
David

ppatkar · ‎05-28-2019

Thanks David, after searching for similar posts could manage the below :

| tstats latest(_time) AS latest where index=abc by host | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(latest)

DavidHourani · ‎05-28-2019

awesome, glad to know you found a solution !

How to get the latest timestamp by host?

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Unlock Database Monitoring with Splunk Observability Cloud

Join the Conversation

How to get the latest timestamp by host?

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Unlock Database Monitoring with Splunk Observability Cloud