Solved: Get the timestamp of stats latest(field)

artrune · ‎05-02-2019

I'm currently getting the latest value of a field like: | stats latest("field").
However It only shows the column with the value and it doesn't show the column with the timestamp.
If i add latest("_time" ) that wont work if there are other newer entries that don't include the field I'm aiming for.
How can I retrieve the latest value of a field with its timestamp?

woodcock · ‎05-02-2019

You can do this:

... | stats max(_time) AS _time BY field | sort 0 - _time | head 1

View solution in original post

artrune · ‎05-02-2019

This is what i currently have and want to add the timestamp column

artrune · ‎05-02-2019

Thanks, but it comes with alot of dates and values and not the latest value for the field

woodcock · ‎05-02-2019

You can do this:

... | stats max(_time) AS _time BY field | sort 0 - _time | head 1

artrune · ‎05-02-2019

Thanks for your reply, I tried that but it didnt return anything.

artrune · ‎05-02-2019

Nevermind, this did work but i h ad to put my field inside double quotes. Thanks

woodcock · ‎05-02-2019

Field names with spaces are evil.

artrune · ‎05-02-2019

Hmm its funny, because it worked on the search (inside splunk) but when calling through the api im not getting any response. With the previous query i would get response on the API.
Do you have any idea?

artrune · ‎05-02-2019

Nevermind haha i was missing the double quotes inside my code. Just had to escape them.
Thanks for the help

Sukisen1981 · ‎05-02-2019

|  stats latest(fieldname) by _time
| reverse

???

artrune · ‎05-02-2019

Thanks for your reply aswell, When trying this it returns a lot of time stamps and and values.
I want only the latest value for my field with its timestamp

Get the timestamp of stats latest(field)

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk