Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can earliest/latest function be used over my own timestamp field?

codewarrior
Loves-to-Learn Everything
‎06-16-2021 07:58 PM

Hi folks, my dataset looks like this:

timestampiduserMailreason
t1id1a@example.comtest
t2id1a@example.comtest
t3id1a@example.com test
t2id2b@example.comtesttest
t4id2b@example.comttt

 

I want to group by id and userMail, then find the last (latest) record in each group. From the help document on latest/earliest function, it uses metadata field _time to find the latest row, how can I let latest function to use timestamp field in my case? 
I know I can use something like eval _time = timestamp to overwrite the _time field, but want to know if there are better ways to achieve.

My second question is how to write the query, can i do in this way:

| eval _time=timestamp/pow(10,3)
| chart latest(*) by id, userEmail

Thanks!

Labels (1)
Labels
Tags (2)
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎06-17-2021 12:39 AM
@codewarrior wrote:

My second question is how to write the query, can i do in this way:

| eval _time=timestamp/pow(10,3)
| chart latest(*) by id, userEmail

Also yes.  As soon as you redefine _time, it behaves as the original _time. (In some use cases, you want to first rename the original in order to save its value.  But for the stats that you are using it with, that is not necessary.)

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-16-2021 11:40 PM
If needed you could add new field (or convert timestamp) for epoch time (time in seconds). Then just look min/max from this values and then add values(timestamp) as timestamp your query or convert that min/max value back to displayable format.
r. Ismo
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎06-16-2021 08:08 PM

Yes, you can.  If you want to use search command, rename your timestamp _time; else you will need to do calculations in where command.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...