Splunk Search

How to use of Group by on the Event Number column to get the latest result by EventTime?

nilanjankc
New Member

I have a table like below in Splunk
alt text

I want to apply a group by on Event Number col and want to get the top(latest) result by EventTime like below

alt text

I am new to Splunk.Can any one suggest me how to achieve it using Splunk search query

0 Karma
1 Solution

FrankVl
Ultra Champion

Try the following. It parses the EventTime and assigns it to _time, so you can apply stats function latest() to get the latest values by EventNumber.

...search that gets you to that data...
| eval _time = strptime(EventTime, "%e/%m/%Y %H:%M")
| stats latest(EventName) as EventName latest(EventTime) as EventTime by EventNumber

View solution in original post

0 Karma

FrankVl
Ultra Champion

Try the following. It parses the EventTime and assigns it to _time, so you can apply stats function latest() to get the latest values by EventNumber.

...search that gets you to that data...
| eval _time = strptime(EventTime, "%e/%m/%Y %H:%M")
| stats latest(EventName) as EventName latest(EventTime) as EventTime by EventNumber
0 Karma

nilanjankc
New Member

Hi Frank

Thank you for your quick reply,is there any way that we can hide this EventNumber from displaying as Column but still using it in calculation

regards
Nilanjan

0 Karma

FrankVl
Ultra Champion

Just add | fields - EventNumber to the end of your query.

0 Karma

nilanjankc
New Member

Hi Frank
Your solution works like a charm,just a question, from where I can learn more about Splunk query language.

0 Karma

FrankVl
Ultra Champion

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/WhatsInThisManual is a very useful resource.

Have you taken the Splunk Fundamentals 1 training, if not, that is also a good starting point. And if you have access to trainings, there are several more advanced trainings on the topic as well.

0 Karma

nilanjankc
New Member

Thank you for your guidance.I started Splunk Fundamentals 1.Happy learning 🙂

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...