Solved: Re: Get the timestamp of stats latest(field)

artrune · ‎05-02-2019

I'm currently getting the latest value of a field like: | stats latest("field").
However It only shows the column with the value and it doesn't show the column with the timestamp.
If i add latest("_time" ) that wont work if there are other newer entries that don't include the field I'm aiming for.
How can I retrieve the latest value of a field with its timestamp?

woodcock · ‎05-02-2019

You can do this:

... | stats max(_time) AS _time BY field | sort 0 - _time | head 1

View solution in original post

artrune · ‎05-02-2019

This is what i currently have and want to add the timestamp column

artrune · ‎05-02-2019

Thanks, but it comes with alot of dates and values and not the latest value for the field

woodcock · ‎05-02-2019

You can do this:

... | stats max(_time) AS _time BY field | sort 0 - _time | head 1

artrune · ‎05-02-2019

Thanks for your reply, I tried that but it didnt return anything.

artrune · ‎05-02-2019

Nevermind, this did work but i h ad to put my field inside double quotes. Thanks

woodcock · ‎05-02-2019

Field names with spaces are evil.

artrune · ‎05-02-2019

Hmm its funny, because it worked on the search (inside splunk) but when calling through the api im not getting any response. With the previous query i would get response on the API.
Do you have any idea?

artrune · ‎05-02-2019

Nevermind haha i was missing the double quotes inside my code. Just had to escape them.
Thanks for the help

Sukisen1981 · ‎05-02-2019

|  stats latest(fieldname) by _time
| reverse

???

artrune · ‎05-02-2019

Thanks for your reply aswell, When trying this it returns a lot of time stamps and and values.
I want only the latest value for my field with its timestamp

Get the timestamp of stats latest(field)

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...