For example:

Snapshot 1 from DB

Event _1  DATA=AAA CHGDATE=16.06.2021 11:03

Event _2 DATA=BBB CHGDATE=16.06.2021 11:04

Snapshot 2 from db

Event _3  DATA=AAA CHGDATE=17.06.2021 11:03

Event _4 DATA=BBB CHGDATE=17.06.2021 11:04

Snapshot 3 from db

Event _5  DATA=AAA CHGDATE=17.06.2021 15:03

Event _6 DATA=BBB CHGDATE=17.06.2021 15:04

I have to get last snapshot data. That's :

Snapshot 3 from db

Event _5  DATA=AAA CHGDATE=17.06.2021 15:03

Event_6 DATA=BBB CHGDATE=17.06.2021 15:04

It work fine , but how to get 

in result: DATA,CHGDATE

sorry it very very difficult for me 

| eval _time=strptime(CHGDATE,"%Y-%m-%d %H:%M:%S.%Q")
| stats latest(*) as * by DATA
| table DATA CHGDATE

Try something like this (assumes CHGDATE is an epoch datetime, otherwise use strptime to parse the string to get an epoch datetime)

| eval _time=CHGDATE
| stats latest(*) as * by DATA

Just like in SQL Style:

select * from splunk_log where _time=

(select max(_time) from splunk_log)

SPL is not SQL - SPL works on a pipeline of events being processed and passed on to the next step in the process. If it helps, think of it like a bash script

cat file | grep "value" | sort

Each command passes the results through stdout to the stdin of the next command and only the data in that stdout/stdin pipe gets passed