- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I would like to display the last event time when using stats function. the following search string works but the time is not human readable. I tried to use the convert function strftime(last(_time), "%m/%d %H:%M:%S") but it's not working.
I would sppreciate if anyone could shed some light on this. Thanks!
stats max(time_in_sec), min(time_in_sec), avg(time_in_sec), last(_time) by url
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/3400b/3400b67defd60510a473e689bebd59333b615836" alt="hexx hexx"
data:image/s3,"s3://crabby-images/1f594/1f594b1b4c0941863df1722dd52dd06a5b9a2e11" alt="Splunk Employee Splunk Employee"
Since you want to display the time stamp of the most recent event in the results, I would recommend using latest() instead of last(). Consider the following definition of latest():
latest(X) This function returns the chronologically latest seen occurrence of a value of a field X.
Anyway, I here is the suggested search string:
... | stats max(time_in_sec), min(time_in_sec), avg(time_in_sec), latest(_time) AS latest_time by url | convert ctime(latest_time)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/3400b/3400b67defd60510a473e689bebd59333b615836" alt="hexx hexx"
data:image/s3,"s3://crabby-images/1f594/1f594b1b4c0941863df1722dd52dd06a5b9a2e11" alt="Splunk Employee Splunk Employee"
Since you want to display the time stamp of the most recent event in the results, I would recommend using latest() instead of last(). Consider the following definition of latest():
latest(X) This function returns the chronologically latest seen occurrence of a value of a field X.
Anyway, I here is the suggested search string:
... | stats max(time_in_sec), min(time_in_sec), avg(time_in_sec), latest(_time) AS latest_time by url | convert ctime(latest_time)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the info. My splunk version is 4.3.1 but the function, latest, seems not working.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
I like the answer.
Shangshin, just note that latest is a function of stats only in Splunk versions past 4.3. If you have <4.3, try "| stats max(time_in_sec), min(time_in_sec) avg(time_in_sec), first(_time) as latest_time by url | convert ctime(latest_time)"
data:image/s3,"s3://crabby-images/d7f73/d7f73632dd731f9b3dd280d9d048df61ba67932c" alt=""