Hi,
We have a script that runs every day. The script adds a field called "export_time" which i use to determine the newest status.
2016-10-07 14:33:04 - export_time="2016-11-04 14:33:04" id="1" status="s" text="thisissometext"
2016-10-21 14:33:07 - export_time="2016-11-04 14:33:04" id="2" status="s" text="thisissometext"
2016-10-07 14:33:04 - export_time="2016-11-03 14:33:04" id="1" status="p" text="thisissometext"
2016-10-21 14:33:07 - export_time="2016-11-03 14:33:04" id="2" status="p" text="thisissometext"
...
Now I want to search the newest "export_time" (highlighted in bold) events only. I tried it with latest() but latest() give me not the latest "export_time" but the latest _time.
Does anyone have an idea how to solve this "problem" the easy way?
You can reassign _time then your latest() and things like that should work.
... | eval _time=strptime(export_time,"%Y-%m-%d %H:%M:%S") | ...
Where the beginning ... is just whatever search you have to return those events, then the trailing ... will be whatever you want to do with it. I left that latter empty because if you leave it off, you should see the events when returned have the _time being export_time.
You can reassign _time then your latest() and things like that should work.
... | eval _time=strptime(export_time,"%Y-%m-%d %H:%M:%S") | ...
Where the beginning ... is just whatever search you have to return those events, then the trailing ... will be whatever you want to do with it. I left that latter empty because if you leave it off, you should see the events when returned have the _time being export_time.
Thanks for your reply. I used your suggestion and created following search:
index=xyz host=cyz [search index=xyz host=cyz | eval _time=strptime(export_time,"%Y-%m-%d %H:%M:%S") | stats latest(_time) as "export_time" | convert timeformat="%Y-%m-%d %H:%M:%S" ctime("export_time") | return export_time]
so i got only the newest "export_time" events.
Great! Thanks for updating this with the "final answer" - that will help people who find this answer in the future!
Happy Splunking!
-Rich