How can I get the latest result?

abi2023 · ‎05-01-2023

my spl
base search |transaction ID | table date field1 field2 ID

my result

Date field1 fiel2 ID
02/20/23 CCC 2k 10

02/20/23 c2 4k 11

02/10/23. CC 2k 08

02/01/23 C 5k 01

but I only want to output latest result which 02/20/23 assuming begin of the I don't date for latest event.

bowesmana · ‎05-01-2023

Is your date field different to _time? Also, you have two dates the same value, but if date is different to _time then do this

base search 
| transaction ID 
| eval tmp=strptime(date, "%m/%d/%y")
| sort 1 - tmp
| table date field1 field2 ID

if date is the same as _time then you just need

base search 
| transaction ID 
| sort 1 - _time
| table date field1 field2 ID

but how do you want to differentiate between the first two events that have the same date?

somesoni2 · ‎05-01-2023

Give this a try

base search |transaction ID | table date field1 field2 ID
| eventstats latest(date) as latestDate
| where date=latestDate | fields - latestDate

Join the Conversation