Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Comparing the Dates and retrieve the latest va...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
RonD
Explorer
11-16-2020
06:43 AM
We have a search that populates a csv file for tracking purposes of latest check-ins formatted as (%m/%d/%Y)
| Host | agent1_date | agent2_date | agent3_date | agent4_date | agent5_date |
| Asset1 | 11/16/2020 | 11/15/2020 | 11/16/2020 | 11/13/2020 | 11/16/2020 |
| Asset2 | 11/15/2020 | 11/13/2020 | 11/13/2020 | 11/13/2020 |
How do I go about on comparing all these dates and get the latest value and write it to a new column - latest date
Expected outcome:
| Host | agent1_date | agent2_date | agent3_date | agent4_date | agent5_date | latest_date |
| Asset1 | 11/16/2020 | 11/15/2020 | 11/16/2020 | 11/13/2020 | 11/16/2020 | 11/16/2020 |
| Asset2 | 11/15/2020 | 11/13/2020 | 11/13/2020 | 11/13/2020 | 11/15/2020 |
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rnowitzki
Builder
11-16-2020
07:42 AM
Hi @RonD ,
Maybe not the most dynamic solution, but it should work:
| eval latest_date=strftime(max(strptime(agent1_date,"%m/%d/%Y"),strptime(agent2_date,"%m/%d/%Y"),strptime(agent3_date,"%m/%d/%Y"),strptime(agent4_date,"%m/%d/%Y"),strptime(agent5_date,"%m/%d/%Y")),"%m/%d/%Y")
The strptime and strftime is to convert it to epoch and back to "humand readable" in order to make the dates comparable.
Hope it helps
BR
Ralph
--
Karma and/or Solution tagging appreciated.
Karma and/or Solution tagging appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
RonD
Explorer
11-16-2020
08:20 AM
Thank you, this is actually working well for my requirements!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rnowitzki
Builder
11-16-2020
07:42 AM
Hi @RonD ,
Maybe not the most dynamic solution, but it should work:
| eval latest_date=strftime(max(strptime(agent1_date,"%m/%d/%Y"),strptime(agent2_date,"%m/%d/%Y"),strptime(agent3_date,"%m/%d/%Y"),strptime(agent4_date,"%m/%d/%Y"),strptime(agent5_date,"%m/%d/%Y")),"%m/%d/%Y")
The strptime and strftime is to convert it to epoch and back to "humand readable" in order to make the dates comparable.
Hope it helps
BR
Ralph
--
Karma and/or Solution tagging appreciated.
Karma and/or Solution tagging appreciated.
Get Updates on the Splunk Community!
Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!
What are Community Office Hours?
Community Office Hours is an interactive 60-minute Zoom series where ...
[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events
This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...
Data Management Digest – December 2025
Welcome to the December edition of Data Management Digest!
As we continue our journey of data innovation, the ...
