Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to extract latest events of particular field.

prateeksawhney
Explorer
‎11-02-2020 08:14 PM

Hi Folks,

I need your help in fetching latest event from a particular field.

Sharing you a sample event  and query when I execute for last 15 mins.

Query -> index=Blah sourcetype=blah_blah*

Example event :-

2020-11-02 05:35:00.319SOURCE="Tullett", COUNTVOL="879", TO_CHAR(SNAPTIME,'MM/DD/YYHH24:MI:SS')="08/31/20 00:59:00"
 
Initial date on this event seems to be OK which is todays date"2020-11-02 05:35:00.319", but date at the end which is field SNAPTIME_NEW seems to be old "08/31/20 00:59:00". Can you please help me with a query so that I see only "todays" events in a sorted manner by date in field SNAPTIME_NEW when I execute query for last 15 mins. 
 
Screenshot attached.
 
Thanks, 
Prateek
Labels (2)
Labels
Preview file
118 KB
0 Karma
Reply

t_shreya
Path Finder
‎11-02-2020 11:41 PM

Hi @prateeksawhney 

I think you can use where condition to filter out events which belong to last 15 minutes for the field SNAPTIME_NEW

| eval limit = relative_time(now(),"-15m")
| where SNAPTIME_NEW >= limit
| sort SNAPTIME_NEW

 If the field is not already in epoch time, you will have to convert it using strptime.

0 Karma
Reply

prateeksawhney
Explorer
‎11-03-2020 12:19 AM

@t_shreya  Thanks for your response, but this does not seem to be returning any result. 

Screenshot attached for your reference.

And yes field is already in epoch time.

Preview file
32 KB
0 Karma
Reply

t_shreya
Path Finder
‎11-03-2020 01:15 AM

@prateeksawhney , if the SNAPTIME_NEW does not have field values that are equal to or greater than the epoch time of the last 15 min, then, it would not return any result.

Does the SNAPTIME_NEW have all the values that are older than last 15 min?

0 Karma
Reply

prateeksawhney
Explorer
‎11-04-2020 08:52 PM

@t_shreya 

Your Question - 

Does the SNAPTIME_NEW have all the values that are older than last 15 min?

Answer - Yes

I have updated my question, I need to look for only today's events in a sorted manner.  As of now I am getting around 22,000 events in last 15 mins which contain old and new both dates.

Screenshot attached.

Preview file
130 KB
0 Karma
Reply

t_shreya
Path Finder
‎11-05-2020 12:26 AM

Hi @prateeksawhney , 

For today's events you would need to change -15m to @d

| eval limit = relative_time(now(),"@d")
| where SNAPTIME_NEW >= limit
| sort SNAPTIME_NEW


 

0 Karma
Reply

prateeksawhney
Explorer
‎11-05-2020 12:52 AM

@t_shreya 

This query is not returning any results.

0 Karma
Reply

t_shreya
Path Finder
‎11-05-2020 12:58 AM

@prateeksawhney , Can you share details about the field SNAPTIME_NEW, means some of the values that it has in it?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-05-2020 12:20 AM 
| eval limit = relative_time(now(),"-15m")
| eval SNAPTIME_NEW=strptime(SNAPTIME_NEW,"%m/%d/%y %H:%M:%S")
| where SNAPTIME_NEW >= limit
| sort SNAPTIME_NEW
0 Karma
Reply

prateeksawhney
Explorer
‎11-05-2020 12:53 AM

@ITWhisperer 

Hi, Thanks for your response. But your query is not returning any results either.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-05-2020 01:06 AM

All the events you have shown have old dates in SNAPTIME. Are there any results to be found matching your criteria?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...