Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How will I get second latest time after rex search?

prateek_mishra
New Member
‎07-13-2017 06:00 AM

I am using the below rex command and then finding out the latest and earliest time .

Search |rex ".*execution.date=(?\w+)" | rex "execution.date=(?\w+)}] and the following status: [COMPLETED]" |
stats earliest(_time) as First latest(_time) as Last by executiondate |

But instead of earliest time I need 2nd Latest time or penultimate time. How will I get? Thanks in Advance 🙂

Tags (1)
0 Karma
Reply

somesoni2
Revered Legend
‎07-13-2017 01:43 PM

Try like this 

your current search with rex statements and before stats
| sort 2 -_time by executiondate
|stats earliest(_time) as First latest(_time) as Last by executiondate
0 Karma
Reply

DalJeanis
Legend
‎07-13-2017 01:39 PM 
your search that gets the records you want with _time and executiondate
| eventstats count as eventcount, latest(_time) as Last by executiondate
| where _time != Last OR eventcount=1
| stats earliest(_time) as First, latest(_time) as Penultimate, latest(Last) as Last by executiondate

The eventstats puts the Last figure where you can save it and get to it, on every record for each executiondate.

The where kills the very last date, but you already have saved what it said in Last.

The stats then calculates the First and Penultimate times. If there is only one event, then all three values are the same. If there are two, then First and Penultimate are the same.

0 Karma
Reply

prateek_mishra
New Member
‎07-13-2017 10:42 PM

I am gettting latest(last) time as penultimate time

0 Karma
Reply

DalJeanis
Legend
‎07-13-2017 01:32 PM

Be sure to mark your code as code, so the interface will not delete parts of it.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...