You didn't answer @bowesmana 's question about whether your sample is from an index or a lookup table. I will assume that they come from events. In this case, it is unnecessary to extract _time inl...
See more...
You didn't answer @bowesmana 's question about whether your sample is from an index or a lookup table. I will assume that they come from events. In this case, it is unnecessary to extract _time inline. You can use latest as @bowesmana and @ITWhisperer suggested, or you can simply use dedup to get the latest events before further processing: | eval day = strftime(_time, "%F")
| dedup day Name Given this dataset Name Status _raw _time ABC F ABC,F, 04/25/2025 15:50:00 2025-04-25 15:50:00 ABC R ABC,R, 04/25/2025 15:25:00 2025-04-25 15:25:00 ABC F ABC,F, 04/24/2025 15:30:03 2025-04-24 15:30:03 ABC R ABC,R, 04/24/2025 15:15:01 2025-04-24 15:15:01 The above will give you Name Status _raw _time day ABC F ABC,F, 04/25/2025 15:50:00 2025-04-25 15:50:00 2025-04-25 ABC F ABC,F, 04/24/2025 15:30:03 2025-04-24 15:30:03 2025-04-24 Here is a full emulation of your mock data | makeresults
| eval _raw="Name,Status,Datestamp
ABC,F, 04/24/2025 15:30:03
ABC,R, 04/24/2025 15:15:01
ABC,F, 04/25/2025 15:50:00
ABC,R, 04/25/2025 15:25:00"
| multikv forceheader=1
| eval _time = strptime(Datestamp, "%m/%d/%Y %T")
| fields - Datestamp linecount
| sort - _time
``` data emulation above ```