Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract the latest scope with respect to latest date?

smanojkumar
Contributor
‎03-07-2023 03:50 AM

date Scope

12/11/2020 Linux Shadow
17/02/2023 Linux Project
20/02/2023 Linux Project
21/02/2023 Linux Project
22/02/2023 Linux Project
23/02/2023 Linux Project
24/02/2023 Linux Project
27/02/2023 Linux Project
28/02/2023 Linux Project
01/03/2023 Linux Project
01/03/2023 Linux Project
01/03/2023 Linux Project
02/03/2023 Linux projet
03/03/2023 Linux Project
03/03/2023 Linux Project
06/03/2023 Linux Project
06/03/2023 Linux Project

we need to extract the lastest scope with respect to latest date, 

The latest date is 06/03/2023, so its scope is linux project, we need to get this value and the result will be

date Scope

01/03/2023
02/03/2023
03/03/2023
06/03/2023
12/11/2020
17/02/2023
20/02/2023
21/02/2023
22/02/2023
23/02/2023
24/02/2023
27/02/2023
28/02/2023
 Linux Project
Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-07-2023 04:30 AM

You should probably parse the dates from the kvstore into epoch timestamps, that way you can do calculations on them such as finding the latest date

| eval epoch = strptime(date,"%d/%m/%Y")
| eventstats max(epoch) as latest_date
| where epoch=latest_date

View solution in original post

Reply
Solved! Jump to solution

smanojkumar
Contributor
‎03-07-2023 04:24 AM

Hi @ITWhisperer ,

   Thanks for your response,

   I had added some details in original post, also the data is from kvstore lookup.

Thanks Again!

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-07-2023 04:30 AM

You should probably parse the dates from the kvstore into epoch timestamps, that way you can do calculations on them such as finding the latest date

| eval epoch = strptime(date,"%d/%m/%Y")
| eventstats max(epoch) as latest_date
| where epoch=latest_date
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-07-2023 03:58 AM

It is not clear what you are trying to do as you have multiple dates for the same scope.

Does this do what you want?

| stats latest(Date) as Date by Scope

If not, please share some of the events you are dealing with (anonymised of course), preferably in a code block </> to prevent format information from being removed.

Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...