Hi Folks,
I need your help in fetching latest event from a particular field.
Sharing you a sample event and query when I execute for last 15 mins.
Query -> index=Blah sourcetype=blah_blah*
Example event :-
Hi @prateeksawhney,
it's easy, you have to use the reverse and head commands, something like this:
index=Blah sourcetype=blah_blah*
| reverse
| head 1
Ciao.
Giuseppe
Thanks for your prompt response. I can see latest event on the top with field SNAPTIME.
This command is helping me a bit but not much.
Actually with this command I can still see events with old date and I do not want them. I need events with just today's date in a sorted manner from field SNAPTIME.
I have used this command -
index=Blah sourcetype=blah_blah*
| reverse
I am not using head in this as I need all events with today's date.
HI @prateeksawhney,
using reverse, you sort in desc mode your events (it's the same thing to use "| sort -_time"), so you have the newest event.
If you have today's events you have a todays's latest event, if you have older events, you should review the time period you're using.
ciao.
Giuseppe
Time period I am using is only last15 mins.
Can we do something in query that when I execute it for last 15 mins, it shows me data with today's date only.
Particularly in field SNAPTIME and that too with latest event on the top.
Hi @prateeksawhney,
If you use the last 15 minutes, you have today's events,
if the problem is that you need to sort for SNAPTIME instead timestamp, you have to transform SNAPTIME in epochtime and sort for it in desc mode.
e.g. if SNAPTIME is something like "10/28/2020 10:18:23", you could run something like this:
your_search
| eval SNAPTIME_epoch=strptime(SNAPTIME, "%m/%d/%Y %H:%M:%S")
| sort -SNAPTIME_epoch
| head 1
| ...
Ciao.
Giuseppe
Hi,
I have updated my SNAPTIME time format as mentioned by you in your last comment. This is my new format of event in splunk.
| head 1
I have updated my field extraction for the new format of SNAPTIME.
But the result I am getting still does not seem to be helping as I can still see old events. I have attached screenshot for your reference. Please check. Thanks again.
Hi @prateeksawhney,
in your screenshou I don't see the SNAPTIME field, only the SNAPTIME_NEW, try to use it to generate SNAPTIME_epoch:
index=Blah sourcetype=blah*
| eval SNAPTIME_epoch=strptime(SNAPTIME_NEW, "%m/%d/%Y %H:%M:%S")
| sort -SNAPTIME_epoch
Ciao.
Giuseppe
Apologies and Thanks for highlighting the mistake. I have updated the query but still no success. It is still showing old events.
Screenshot attached.
Were you able to check the same, any response will be highly appreciated.
Thanks again for helping.