Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get the latest date from a lookup

Mary666
Communicator
‎11-08-2021 08:15 PM

Hello All, 

Anyone know how I can get the latest date from a lookup file? I am using the script below:

| inputlookup  append=t Blue_Marbles_Report.csv  | rename "Last Scan Date" as "Last_Scan_Date" 
| eval updated=strptime(Last_Scan_Date,"%FT%T%:z")
| eval desired_time=strftime(updated, "%B %d, %Y")
| stats latest(desired_time) as desired_time

| table  Marbles, desired_time

But the latest(desired_time) does not deliver any results. This is what I have on my original file:

MarblesLast_Scan_Date
Blue08/01/2020
Blue10/04/2020
Blue11/08/2021


Desired Result:

Marblesdesired_time
Blue11/08/2021


Hope to get some help on this, thanks in advance. 

Labels (4)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎11-08-2021 09:01 PM

Try this

| inputlookup  append=t Blue_Marbles_Report.csv  | rename "Last Scan Date" as "Last_Scan_Date" 
| eval updated=strptime(Last_Scan_Date,"%FT%T%:z")
| sort 1 -updated
| eval desired_time=strftime(updated, "%B %d, %Y")
| table  Marbles, desired_time

View solution in original post

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎11-08-2021 09:20 PM

Ok, you're trying to do something latest() is not meant for.

The earliest()/latest() stats functions return chronologically first/last occurence of given field. But the basis for ordering is not the value of this field, but the _time field.

In other means, it's roughly ewuivalent to

<...> | sort _time | stats last(<field>)

As you don't have the _time field in your outputlookup, all values are treated equally and splunk will probably treat first/last of them in any order you have at the moment as earliest()/latest().

If you need to calculate max/min timestamp you can either simply use max/min on a field containing a unix timestamp (which is a numerical field after all) or sort by tha column as @somesoni2 aleady showed and either get stats first()/last() or do head/tail.

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎11-08-2021 09:01 PM

Try this

| inputlookup  append=t Blue_Marbles_Report.csv  | rename "Last Scan Date" as "Last_Scan_Date" 
| eval updated=strptime(Last_Scan_Date,"%FT%T%:z")
| sort 1 -updated
| eval desired_time=strftime(updated, "%B %d, %Y")
| table  Marbles, desired_time
0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...