How do you view the last event time in an inputloo...

vatsalyay · ‎09-28-2018

I have an inputlookup which searches on a CSV where the CSV looks like

Field_A Field_B
A          test1
B          test2

I want to run a search where I get the output but I also get a column added to see what was the last event observed from Field A in Splunk with an output like

Field_A Field_B Last_event
A          test1    9/22/18 7:28:16
B          test2    9/25/18 7:28:16

I have written a query but it does not seem to work:

inputlookup excel.csv | table Field_A   Field_B | appendcols [search index=my_index  src=Field_A| stats head 1 | stats first(_time)| eval Last_Seen_Event=strftime(Last_Seen_Event,"%+")]

somesoni2 · ‎09-28-2018

You can do like this

index=my_index  [| inputlookup excel.csv | table Field_A | rename Field_A as src ]
| stats max(_time) as Last_Seen_Event by src | rename src as Field_A
| inputlookup append=t excel.csv 
| stats values(Last_Seen_Event) as Last_Seen_Event values(Field_B) as Field_B by Field_A
| eval Last_Seen_Event=strftime(Last_Seen_Event,"%+")

How do you view the last event time in an inputlookup?

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

How do you view the last event time in an inputlookup?

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!