How do you view the last event time in an inputloo...

vatsalyay · ‎09-28-2018

I have an inputlookup which searches on a CSV where the CSV looks like

Field_A Field_B
A          test1
B          test2

I want to run a search where I get the output but I also get a column added to see what was the last event observed from Field A in Splunk with an output like

Field_A Field_B Last_event
A          test1    9/22/18 7:28:16
B          test2    9/25/18 7:28:16

I have written a query but it does not seem to work:

inputlookup excel.csv | table Field_A   Field_B | appendcols [search index=my_index  src=Field_A| stats head 1 | stats first(_time)| eval Last_Seen_Event=strftime(Last_Seen_Event,"%+")]

somesoni2 · ‎09-28-2018

You can do like this

index=my_index  [| inputlookup excel.csv | table Field_A | rename Field_A as src ]
| stats max(_time) as Last_Seen_Event by src | rename src as Field_A
| inputlookup append=t excel.csv 
| stats values(Last_Seen_Event) as Last_Seen_Event values(Field_B) as Field_B by Field_A
| eval Last_Seen_Event=strftime(Last_Seen_Event,"%+")

How do you view the last event time in an inputlookup?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms