I have a dataset in Splunk that roughly looks like this
ID=1, Status="Pending", LastModifiedDate="2013-07-14 00:00:00.000", Product=xyz
ID=2, Status="Delivered", LastModifiedDate="2013-07-15 00:00:00.000", Product=xyz
ID=1, Status="Billed", LastModifiedDate="2013-07-16 00:00:00.000", Product=xyz
ID=2, Status="Pending", LastModifiedDate="2013-07-14 00:00:00.000", Product=xyz
ID=1, Status="Delivered", LastModifiedDate="2013-07-15 00:00:00.000", Product=xyz
I was looking for a query that will return the latest (top) modified event group by ID. The query should also suppress older events. For the above set, I was looking at the query to return the following result:
ID=1, Status="Billed", LastModifiedDate="2013-07-16 00:00:00.000", Product=xyz
ID=2, Status="Delivered", LastModifiedDate="2013-07-15 00:00:00.000", Product=xyz
Any ideas on syntax for the query?
... View more