Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract the latest scope with respect to latest date?

smanojkumar
Contributor
‎03-07-2023 03:50 AM

date Scope

12/11/2020 Linux Shadow
17/02/2023 Linux Project
20/02/2023 Linux Project
21/02/2023 Linux Project
22/02/2023 Linux Project
23/02/2023 Linux Project
24/02/2023 Linux Project
27/02/2023 Linux Project
28/02/2023 Linux Project
01/03/2023 Linux Project
01/03/2023 Linux Project
01/03/2023 Linux Project
02/03/2023 Linux projet
03/03/2023 Linux Project
03/03/2023 Linux Project
06/03/2023 Linux Project
06/03/2023 Linux Project

we need to extract the lastest scope with respect to latest date, 

The latest date is 06/03/2023, so its scope is linux project, we need to get this value and the result will be

date Scope

01/03/2023
02/03/2023
03/03/2023
06/03/2023
12/11/2020
17/02/2023
20/02/2023
21/02/2023
22/02/2023
23/02/2023
24/02/2023
27/02/2023
28/02/2023
 Linux Project
Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-07-2023 04:30 AM

You should probably parse the dates from the kvstore into epoch timestamps, that way you can do calculations on them such as finding the latest date

| eval epoch = strptime(date,"%d/%m/%Y")
| eventstats max(epoch) as latest_date
| where epoch=latest_date

View solution in original post

Reply
Solved! Jump to solution

smanojkumar
Contributor
‎03-07-2023 04:24 AM

Hi @ITWhisperer ,

   Thanks for your response,

   I had added some details in original post, also the data is from kvstore lookup.

Thanks Again!

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-07-2023 04:30 AM

You should probably parse the dates from the kvstore into epoch timestamps, that way you can do calculations on them such as finding the latest date

| eval epoch = strptime(date,"%d/%m/%Y")
| eventstats max(epoch) as latest_date
| where epoch=latest_date
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-07-2023 03:58 AM

It is not clear what you are trying to do as you have multiple dates for the same scope.

Does this do what you want?

| stats latest(Date) as Date by Scope

If not, please share some of the events you are dealing with (anonymised of course), preferably in a code block </> to prevent format information from being removed.

Reply
Get Updates on the Splunk Community!

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...