Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Need get last event occurred time of each day

paragvidhi
Engager
‎03-25-2021 09:22 AM

Hi All, 

I would like to get last event occurred time of each day, my searching window area is last 30 days.

For example : If my query return 3 events for day1 and 5 events for day 2 than I need only two event in output. 
last event time of day 1 and last event time of day 2 and so on.

I tried to get that with help of table command.  it works for me. but I need to do that without using of table command. 
worth if you could help me to find rename or create duplicate field of date_mday and _time

search | table date_mday, _time | dedup date_mday | sort date_mday.

0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎03-25-2021 11:20 PM

Hi @paragvidhi,

To get difference you should calculate the diff before time conversions. Please try below;

search A
| eval Date=strftime(_time, "%d/%m/%Y")
| stats latest(_time) AS Latest by Date
| join Date
[search search B
| eval Date=strftime(_time, "%d/%m/%Y")
| stats earliest(_time) AS Earliest by Date
]
| eval time_diff= Endtime_mail - starttime_mail
| eval time_diff=tostring(time_diff,"duration") 
| eval starttime_mail=strftime(Earliest,"%Y/%m/%d %H:%M:%S")
| eval Endtime_mail=strftime(Latest,"%Y/%m/%d %H:%M:%S")
| table starttime_mail,Endtime_mail, time_diff
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-25-2021 09:31 AM

Why don't you want to use the table command?

What happens if you just remove the table command?

0 Karma
Reply

paragvidhi
Engager
‎03-25-2021 09:41 AM

Actually I need use that data to another search. 
so if i give you more details.  so I would like to get total time taken.


I have two search A and B . 

In search A I will get only single event for each day. so I am consider event time as starttime. 

In search B I will get multiple event in a day. so the last event occurred on that day I consider endtime of that event. 

Now I need to display result like below. 
Date  starttime endtime timetaken(starttime-endtime)

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-25-2021 10:56 AM

If search A is purely to find the start and search B is from the same source, you could try

search | stats earliest_time(_time) as start latest_time(_time) as end by date_mday

You could return these with every event by using eventstats instead of just stats if you still need the event data

0 Karma
Reply

paragvidhi
Engager
‎03-25-2021 12:05 PM

I got my query result in another way but its partial. 

Here I use below query. 

search A
| eval Date=strftime(_time, "%d/%m/%Y")
| stats latest(_time) AS Latest by Date
| eval Endtime_mail=strftime(Latest,"%Y/%m/%d %H:%M:%S")
| join Date
[search search B
| eval Date=strftime(_time, "%d/%m/%Y")
| stats earliest(_time) AS Earliest by Date
| eval starttime_mail=strftime(Earliest,"%Y/%m/%d %H:%M:%S")
]
| table starttime_mail,Endtime_mail

Capture.PNG

Now I am not able get date-time difference between starttime_mail and Endtime_mail. 
Difference should be like 1 day ,3 hour, 43 minute.




0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-25-2021 11:29 PM 
search A
| eval Date=strftime(_time, "%d/%m/%Y")
| stats latest(_time) AS Latest by Date
| join Date
[search search B
| eval Date=strftime(_time, "%d/%m/%Y")
| stats earliest(_time) AS Earliest by Date
]
| eval timediff=Latest-Earliest
| eval duration_mail=tostring(timediff,"duration")
| eval Endtime_mail=strftime(Latest,"%Y/%m/%d %H:%M:%S")
| eval starttime_mail=strftime(Earliest,"%Y/%m/%d %H:%M:%S")
| table starttime_mail,Endtime_mail,duration_mail
0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...