I have a table like below in Splunk
I want to apply a group by on Event Number col and want to get the top(latest) result by EventTime like below
I am new to Splunk.Can any one suggest me how to achieve it using Splunk search query
Try the following. It parses the EventTime and assigns it to _time, so you can apply stats function latest() to get the latest values by EventNumber.
...search that gets you to that data...
| eval _time = strptime(EventTime, "%e/%m/%Y %H:%M")
| stats latest(EventName) as EventName latest(EventTime) as EventTime by EventNumber
Try the following. It parses the EventTime and assigns it to _time, so you can apply stats function latest() to get the latest values by EventNumber.
...search that gets you to that data...
| eval _time = strptime(EventTime, "%e/%m/%Y %H:%M")
| stats latest(EventName) as EventName latest(EventTime) as EventTime by EventNumber
Hi Frank
Thank you for your quick reply,is there any way that we can hide this EventNumber from displaying as Column but still using it in calculation
regards
Nilanjan
Just add | fields - EventNumber
to the end of your query.
Hi Frank
Your solution works like a charm,just a question, from where I can learn more about Splunk query language.
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/WhatsInThisManual is a very useful resource.
Have you taken the Splunk Fundamentals 1 training, if not, that is also a good starting point. And if you have access to trainings, there are several more advanced trainings on the topic as well.
Thank you for your guidance.I started Splunk Fundamentals 1.Happy learning 🙂