- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- I want to include field values which have the late...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
events are like this : number = INCXXXXXX dv_sys = yyyy-mm-dd hh:mm:ss group = lx ........
for a particular value of field number there are multiple events containing various values for the other field dv
_sys
I only want my search results to display the one with the latest timestamp value.
Can anyone help with the correct syntax please?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To use the latest function of the stats command, you need a _time field. So, for each log, you probably want to create that field with an eval statement, leveraging the strptime command
base search to pull logs in...
| eval _time=strptime(dv_sys, "%Y-%m-%d H:M:S")
| stats latest(number) as latestNumber by _time
You'll likely need to play with the dv_sys strptime extract using the common variables found here: https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Commontimeformatvariables, but this should generally get you what you're going for. If you already have a _time field on each log, then you can just ignore the eval command and go straight to the stats.
Does this answer your question?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To use the latest function of the stats command, you need a _time field. So, for each log, you probably want to create that field with an eval statement, leveraging the strptime command
base search to pull logs in...
| eval _time=strptime(dv_sys, "%Y-%m-%d H:M:S")
| stats latest(number) as latestNumber by _time
You'll likely need to play with the dv_sys strptime extract using the common variables found here: https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Commontimeformatvariables, but this should generally get you what you're going for. If you already have a _time field on each log, then you can just ignore the eval command and go straight to the stats.
Does this answer your question?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i would guess number is your id field. In your example, it looks like it's a bmc incident number.
you can do this |stats latest(*) as * by < id fields >
in your case, |stats latest(*) as * by number
This works only if the _time values are different. I would suggest using a filed like "Last Modified timestamp" for _time
Please mark as answer if this answers your query
Preparing your Splunk Environment for OpenSSL3
Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...
Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...
