I am guessing this is data in a lookup file rather than event data - if you have event data you would already have a time stamp in the event which may or may not be the same as Timestamp. However, i...
See more...
I am guessing this is data in a lookup file rather than event data - if you have event data you would already have a time stamp in the event which may or may not be the same as Timestamp. However, in your specific example, assuming no _time field, the just parse the Timstamp field and use stats latest to get the latest, i.e. | makeresults format=csv data="Name,Status,Timestamp
ABC,F, 04/24/2025 15:30:03
ABC, R, 04/24/2025 15:15:01"
| eval _time = strptime(Timestamp, "%m/%d/%Y %T")
| stats latest(*) as * by Name