Solved: get max figure for latest time in data

mcaulsc · ‎09-01-2021

Hi,

I have data as below sample:

Date Time val1 val2 val3 ......
21/08/31 01:00:00 2 1 2 2 2 2 2 1 1 2 69 1 0 2 0 0 3 3
21/08/31 02:00:00 1 1 0 1 1 1 0 0 0 0 0 0 0 1 0 1 1 0
21/08/31 03:00:00 2 1 1 2 2 2 0 1 0 2 1 0 0 2 0 1 2 2
21/08/31 04:00:00 1 1 1 1 1 1 67 0 1 150 205 0 169 312 0 0 2 2
21/08/31 05:00:00 1 0 1 1 1 1 0 0 0 70 1 2 0 1 1 1 2 58

I can calculate the max value for a specific date and time and show as a single value panel on a dashboard. What I'd like to do it find the max value for the latest time reported in the data for a date.

index=my_index sourcetype=my:sourcetype Date="21/08/31" Time="03:00:00"| eval max_val = max(val1, val2, val3, val4 ....) |stats max(max_val) as mymax

So in the sample where latest Time is "05:00:00" is there a way I can code that rather than hard specify the value?

thanks in advance for any thoughts

ITWhisperer · ‎09-01-2021

| eval _time=strptime(Date." ".Time, "%d/%m/%y %H:%M:%S")
| sort - _time
| head 1

View solution in original post

ITWhisperer · ‎09-01-2021

| eval _time=strptime(Date." ".Time, "%d/%m/%y %H:%M:%S")
| sort - _time
| head 1

mcaulsc · ‎09-02-2021

Thanks, that did it, updated query below for completeness.

So for the latest time on a given date, normally today and last record loaded, it will report the max value. Thanks for the assistance.

get max figure for latest time in data

eval

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!