Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How will I get second latest time after rex search?

prateek_mishra
New Member
‎07-13-2017 06:00 AM

I am using the below rex command and then finding out the latest and earliest time .

Search |rex ".*execution.date=(?\w+)" | rex "execution.date=(?\w+)}] and the following status: [COMPLETED]" |
stats earliest(_time) as First latest(_time) as Last by executiondate |

But instead of earliest time I need 2nd Latest time or penultimate time. How will I get? Thanks in Advance 🙂

Tags (1)
0 Karma
Reply

somesoni2
Revered Legend
‎07-13-2017 01:43 PM

Try like this 

your current search with rex statements and before stats
| sort 2 -_time by executiondate
|stats earliest(_time) as First latest(_time) as Last by executiondate
0 Karma
Reply

DalJeanis
Legend
‎07-13-2017 01:39 PM 
your search that gets the records you want with _time and executiondate
| eventstats count as eventcount, latest(_time) as Last by executiondate
| where _time != Last OR eventcount=1
| stats earliest(_time) as First, latest(_time) as Penultimate, latest(Last) as Last by executiondate

The eventstats puts the Last figure where you can save it and get to it, on every record for each executiondate.

The where kills the very last date, but you already have saved what it said in Last.

The stats then calculates the First and Penultimate times. If there is only one event, then all three values are the same. If there are two, then First and Penultimate are the same.

0 Karma
Reply

prateek_mishra
New Member
‎07-13-2017 10:42 PM

I am gettting latest(last) time as penultimate time

0 Karma
Reply

DalJeanis
Legend
‎07-13-2017 01:32 PM

Be sure to mark your code as code, so the interface will not delete parts of it.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...