I have a splunk query that returns results like this. I want to modify the query such that I get the latest row for UtilityJarVersion when everything else - other column values are same. How can I modify my query to get the result I need?
BitBucket_Project | MicroserviceName | Env |
_time | BitBucket_Project | MicroserviceName | Env | UtilityJarVersion |
1/13/22 4:09 PM | bb-project1 | microservice1 | DEV | 1.0.105 |
1/11/22 6:39 AM | bb-project2 | microservice2 | DEV | 1.0.105 |
1/12/22 11:22 AM | bb-project2 | microservice2 | DEV | 1.0.106 |
1/12/22 7:00 PM | bb-project3 | microservice3 | DEV | 1.0.106 |
1/12/22 9:28 AM | bb-project3 | microservice4 | DEV | 1.0.106 |
1/12/22 6:33 PM | bb-project4 | microservice5 | DEV | 1.0.106 |
1/11/22 6:40 AM | bb-project5 | microservice6 | DEV | 1.0.105 |
1/12/22 6:43 PM | bb-project5 | microservice6 | DEV | 1.0.106 |
That is, my expected result would look like
_time | BitBucket_Project | MicroserviceNAme | Env | UtilityJar |
1/13/22 4:09 PM | bb-project1 | microservice1 | DEV | 1.0.105 |
1/12/22 11:22 AM | bb-project2 | microservice2 | DEV | 1.0.106 |
1/12/22 7:00 PM | bb-project3 | microservice3 | DEV | 1.0.106 |
1/12/22 9:28 AM | bb-project3 | microservice4 | DEV | 1.0.106 |
1/12/22 6:33 PM | bb-project4 | microservice5 | DEV | 1.0.106 |
1/12/22 6:43 PM | bb-project5 | microservice6 | DEV | 1.0.106 |
Thank you
You should share your query, but in principle
<YOUR QUERY>
| stats latest(_time) as _time latest(UtilityJarVersion) as UtilityJarVersion by BitBucket_Project MicroserviceName Env
Assuming you want the latest time version, as opposed to the latest Jar Version
You should share your query, but in principle
<YOUR QUERY>
| stats latest(_time) as _time latest(UtilityJarVersion) as UtilityJarVersion by BitBucket_Project MicroserviceName Env
Assuming you want the latest time version, as opposed to the latest Jar Version