Extracting events based on latest field

selvam_sekar · ‎04-16-2024

Hi,

I have the raw data/Event as below, the splunk gets the rawdata every 2 hrs once and only 4 time a day. This runs at 11.36 AM ,13.36,15:36 PM, 17:36 PM splunk gets the rawdata.

Per day i am getting ~2.5K events

Field:DATETIME , tells what time the job run

2024-04-15 21:36:58.960, DATETIME="2024-04-15 17:36:02", REGION="India", APPLICATION="webApp", CLIENT_CODE="ind", MARKET_CODE="SEBI", TRADE_COUNT="1"

What I am looking is when i run the dashboard, where I want to monitor the trade count by market_code over latest DATETIME.

For instance, if i run the dashboard at 14:00 hrs, the field DATETIME might have 11.36 (~600 events), 13.36(~600 events). I want to see only 13.36hrs 600 events, and metric would be TRADE_COUNT by MARKET_CODE

Thanks,

Selvam.

ITWhisperer · ‎04-16-2024

In order to do calculations or meaningful comparisons with dates and times, they need to be converted (parsed) to unix-style timestamps.

| eval datetime_unix=strptime(DATETIME, "%F %T")
| eventstats max(datetime_unix) as last_datetime
| where datetime_unix == last_datetime
| stats count by market_code

Extracting events based on latest field

using Splunk Enterprise

Monitoring Amazon Elastic Kubernetes Service (EKS)

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

Explore the Latest Educational Offerings from Splunk (November Releases)