Solved: SPL to return list of field values for a particula...

jabezds · ‎07-28-2020

Hi All,

I need a spl which will return the list of filenames that came for the latest time .

| eval latest_time = max(strftime(_time,"%Y-%m-%d")) | stats count by latest_time,filename

But im not able to achieve that through the above spl.

eg

Latest_time filename

2020-07-28 filename1.txt

filename2.txt

filename3.txt

filename4.txt

bowesmana · ‎07-29-2020

From your description it looks like you want a list of filenames that were on the most recent day for where there are files, so

| bin _time span=1d
| stats values(filename) as filename by _time
| tail 1

If you want individual rows for each filename, then just add

| mvexpand filename

at the end

bowesmana · ‎07-29-2020

From your description it looks like you want a list of filenames that were on the most recent day for where there are files, so

| bin _time span=1d
| stats values(filename) as filename by _time
| tail 1

If you want individual rows for each filename, then just add

| mvexpand filename

at the end

SPL to return list of field values for a particular time