Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to fetch the time of the latest event?

zacksoft
Contributor
‎04-10-2018 05:22 AM

My log contain some events that we call 'bonus_events'. And 'bonus_events' happen once or twice a week.
I want to subtract the the current time from the time when the latest bonus_event happened.

For this I want to fetch the time of the latest event.

This is what I have written,

host="lak1200.ramana.com" source="/apps/games/prizes-*" bonus
| eval sub = now() - x

x indicates the time of the latest event of base_query result.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎04-10-2018 05:41 AM

hello there,

the field _time represents the timestamp on the event
try this:

   host="lak1200.ramana.com" source="/apps/games/prizes-*" bonus
    | eval sub = now() - _time

this will give you the gap in seconds between your event/s and the moment the search was executed

hope it helps

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎04-10-2018 05:41 AM

hello there,

the field _time represents the timestamp on the event
try this:

   host="lak1200.ramana.com" source="/apps/games/prizes-*" bonus
    | eval sub = now() - _time

this will give you the gap in seconds between your event/s and the moment the search was executed

hope it helps

0 Karma
Reply
Solved! Jump to solution

FrankVl
Ultra Champion
‎04-10-2018 05:52 AM

And to apply this only to the latest event, simply insert a | head 1 in between those 2 lines.

Reply
Solved! Jump to solution

zacksoft
Contributor
‎04-10-2018 05:57 AM

@FrankVl Thank you. The I head 1 did the trick.

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎04-10-2018 06:05 AM 
host="lak1200.ramana.com" source="/apps/games/prizes-*" bonus
| head 1
| eval sub = now() - _time

if it solves it, please mark the question as answered and up vote any helpful comments

Reply
Solved! Jump to solution

zacksoft
Contributor
‎04-10-2018 05:49 AM

Just to be clear, _time indicates the time of the latest event that my base query produces, right?
My base query produces around 20 events in a month time frame and I would like the time of the latest event only.

Thank you.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...