Splunk Search

How to search newest events with a specific "time" field?

ColinCH
Path Finder

Hi,

We have a script that runs every day. The script adds a field called "export_time" which i use to determine the newest status.

2016-10-07 14:33:04 - export_time="2016-11-04 14:33:04" id="1" status="s" text="thisissometext"
2016-10-21 14:33:07 - export_time="2016-11-04 14:33:04" id="2" status="s" text="thisissometext"
2016-10-07 14:33:04 - export_time="2016-11-03 14:33:04" id="1" status="p" text="thisissometext"
2016-10-21 14:33:07 - export_time="2016-11-03 14:33:04" id="2" status="p" text="thisissometext"
...

Now I want to search the newest "export_time" (highlighted in bold) events only. I tried it with latest() but latest() give me not the latest "export_time" but the latest _time.

Does anyone have an idea how to solve this "problem" the easy way?

0 Karma
1 Solution

Richfez
SplunkTrust
SplunkTrust

You can reassign _time then your latest() and things like that should work.

 ... | eval _time=strptime(export_time,"%Y-%m-%d %H:%M:%S") | ...

Where the beginning ... is just whatever search you have to return those events, then the trailing ... will be whatever you want to do with it. I left that latter empty because if you leave it off, you should see the events when returned have the _time being export_time.

View solution in original post

Richfez
SplunkTrust
SplunkTrust

You can reassign _time then your latest() and things like that should work.

 ... | eval _time=strptime(export_time,"%Y-%m-%d %H:%M:%S") | ...

Where the beginning ... is just whatever search you have to return those events, then the trailing ... will be whatever you want to do with it. I left that latter empty because if you leave it off, you should see the events when returned have the _time being export_time.

ColinCH
Path Finder

Thanks for your reply. I used your suggestion and created following search:

index=xyz host=cyz [search index=xyz host=cyz | eval _time=strptime(export_time,"%Y-%m-%d %H:%M:%S") | stats latest(_time) as "export_time" | convert timeformat="%Y-%m-%d %H:%M:%S" ctime("export_time") | return export_time]

so i got only the newest "export_time" events.

Richfez
SplunkTrust
SplunkTrust

Great! Thanks for updating this with the "final answer" - that will help people who find this answer in the future!

Happy Splunking!

-Rich

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...