Splunk Search
Highlighted

How to search newest events with a specific "time" field?

Path Finder

Hi,

We have a script that runs every day. The script adds a field called "export_time" which i use to determine the newest status.

2016-10-07 14:33:04 - exporttime="2016-11-04 14:33:04" id="1" status="s" text="thisissometext"
2016-10-21 14:33:07 - export
time="2016-11-04 14:33:04" id="2" status="s" text="thisissometext"
2016-10-07 14:33:04 - exporttime="2016-11-03 14:33:04" id="1" status="p" text="thisissometext"
2016-10-21 14:33:07 - export
time="2016-11-03 14:33:04" id="2" status="p" text="thisissometext"
...

Now I want to search the newest "exporttime" (highlighted in bold) events only. I tried it with latest() but latest() give me not the latest "exporttime" but the latest _time.

Does anyone have an idea how to solve this "problem" the easy way?

0 Karma
Highlighted

Re: How to search newest events with a specific "time" field?

SplunkTrust
SplunkTrust

You can reassign _time then your latest() and things like that should work.

 ... | eval _time=strptime(export_time,"%Y-%m-%d %H:%M:%S") | ...

Where the beginning ... is just whatever search you have to return those events, then the trailing ... will be whatever you want to do with it. I left that latter empty because if you leave it off, you should see the events when returned have the time being exporttime.

View solution in original post

Highlighted

Re: How to search newest events with a specific "time" field?

Path Finder

Thanks for your reply. I used your suggestion and created following search:

index=xyz host=cyz [search index=xyz host=cyz | eval time=strptime(exporttime,"%Y-%m-%d %H:%M:%S") | stats latest(time) as "exporttime" | convert timeformat="%Y-%m-%d %H:%M:%S" ctime("exporttime") | return exporttime]

so i got only the newest "export_time" events.

Highlighted

Re: How to search newest events with a specific "time" field?

SplunkTrust
SplunkTrust

Great! Thanks for updating this with the "final answer" - that will help people who find this answer in the future!

Happy Splunking!

-Rich

0 Karma