Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract the latest scope with respect to latest date?

smanojkumar
Contributor
‎03-07-2023 03:50 AM

date Scope

12/11/2020 Linux Shadow
17/02/2023 Linux Project
20/02/2023 Linux Project
21/02/2023 Linux Project
22/02/2023 Linux Project
23/02/2023 Linux Project
24/02/2023 Linux Project
27/02/2023 Linux Project
28/02/2023 Linux Project
01/03/2023 Linux Project
01/03/2023 Linux Project
01/03/2023 Linux Project
02/03/2023 Linux projet
03/03/2023 Linux Project
03/03/2023 Linux Project
06/03/2023 Linux Project
06/03/2023 Linux Project

we need to extract the lastest scope with respect to latest date, 

The latest date is 06/03/2023, so its scope is linux project, we need to get this value and the result will be

date Scope

01/03/2023
02/03/2023
03/03/2023
06/03/2023
12/11/2020
17/02/2023
20/02/2023
21/02/2023
22/02/2023
23/02/2023
24/02/2023
27/02/2023
28/02/2023
 Linux Project
Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-07-2023 04:30 AM

You should probably parse the dates from the kvstore into epoch timestamps, that way you can do calculations on them such as finding the latest date

| eval epoch = strptime(date,"%d/%m/%Y")
| eventstats max(epoch) as latest_date
| where epoch=latest_date

View solution in original post

Reply
Solved! Jump to solution

smanojkumar
Contributor
‎03-07-2023 04:24 AM

Hi @ITWhisperer ,

   Thanks for your response,

   I had added some details in original post, also the data is from kvstore lookup.

Thanks Again!

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-07-2023 04:30 AM

You should probably parse the dates from the kvstore into epoch timestamps, that way you can do calculations on them such as finding the latest date

| eval epoch = strptime(date,"%d/%m/%Y")
| eventstats max(epoch) as latest_date
| where epoch=latest_date
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-07-2023 03:58 AM

It is not clear what you are trying to do as you have multiple dates for the same scope.

Does this do what you want?

| stats latest(Date) as Date by Scope

If not, please share some of the events you are dealing with (anonymised of course), preferably in a code block </> to prevent format information from being removed.

Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...