Solved: How do you display a count based from the latest t...

ejespiritu · ‎11-14-2018

Hello, I'm new with Splunk and need some help.

I need to filter my data to only count the status of the latest time stamp for each ID.

I've a data set with 3 columns
ID, status, timestamp
1001, A, 11:12pm - should not count
1001, B, 11:13pm - should count
2002, A, 11:10pm - should not count
2002, A, 11:14pm - should count
3003, A, 11:11pm - should count

My dashboard should display
Status, Count
A, 2
B, 1

Shan · ‎11-14-2018

@ ejespiritu,

Try this approach ..

| makeresults
| eventstats latest(_time) as latest_timestamp by status
| where _time = latest_timestamp
| stats count(ID) by status

View solution in original post

Shan · ‎11-14-2018

@ ejespiritu,

Try this approach ..

| makeresults
| eventstats latest(_time) as latest_timestamp by status
| where _time = latest_timestamp
| stats count(ID) by status

How do you display a count based from the latest timestamp?

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine

Are you a member of the Splunk Community?

How do you display a count based from the latest timestamp?

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine