Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

select latest timestamp of data and from second to last date.

michaelrosello
Path Finder
‎08-17-2018 10:00 AM

I have this data set of data coming in multiple times a day.

I want to select all the latest timestamp and the latest timestamp of second to last date.

On this example below I want to get all of data with timestamp of 2018-08-14 07:53:53.0(latest today) and 2018-08-14 07:53:53.0(latest second to last date)

Note that ingestion is not consistent and there might be days where no data will come in.

1   2018-08-10 19:58:24.0   
2   2018-08-11 01:14:43.0   
3   2018-08-11 03:22:09.0   
4   2018-08-11 06:28:03.0   
5   2018-08-11 08:01:30.0   
6   2018-08-11 09:08:25.0   
7   2018-08-12 03:21:44.0   
8   2018-08-12 23:52:02.0   
9   2018-08-14 00:39:34.0   
10  2018-08-14 03:09:33.0   
11  2018-08-14 06:21:39.0   
12  2018-08-14 07:53:53.0
Tags (3)
0 Karma
Reply

horsefez
Motivator
‎08-17-2018 01:47 PM

@michaelrosello

How about something like this

alt text

it's a bit weird, I give you that but it works
here is the query:

\< your base search\> | stats first(_time) AS first_time, last(_time) AS last_time by date_mday | eval first_time=strftime(first_time, "%y-%d-%m %H:%M:%S"), last_time=strftime(last_time, "%y-%d-%m %H:%M:%S")
| rename first_time AS "Last Event", last_time AS "First Event" | table date_mday "First Event" "Last Event"

Reply

KailA
Contributor
‎08-17-2018 11:24 AM

Hi,
First I have a question for you, is those data are in an index ? If yes, normally, you just have to do :
index=youIndex | head 3

If not, can you give us more detail on how you get those data ?

Kail

0 Karma
Reply

horsefez
Motivator
‎08-17-2018 01:26 PM

what do you mean exactly by that?
On this example below I want to get all of data with timestamp of 2018-08-14 07:53:53.0(latest today) and 2018-08-14 07:53:53.0(latest second to last date)

do you mean (earliest) and (latest)??

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...