I'm currently getting the latest value of a field like: | stats latest("field").
However It only shows the column with the value and it doesn't show the column with the timestamp.
If i add latest("_time" ) that wont work if there are other newer entries that don't include the field I'm aiming for.
How can I retrieve the latest value of a field with its timestamp?
You can do this:
... | stats max(_time) AS _time BY field | sort 0 - _time | head 1
This is what i currently have and want to add the timestamp column
You can do this:
... | stats max(_time) AS _time BY field | sort 0 - _time | head 1
Thanks for your reply, I tried that but it didnt return anything.
Nevermind, this did work but i h ad to put my field inside double quotes. Thanks
Field names with spaces are evil.
Hmm its funny, because it worked on the search (inside splunk) but when calling through the api im not getting any response. With the previous query i would get response on the API.
Do you have any idea?
Nevermind haha i was missing the double quotes inside my code. Just had to escape them.
Thanks for the help
| stats latest(fieldname) by _time
| reverse
???
Thanks for your reply aswell, When trying this it returns a lot of time stamps and and values.
I want only the latest value for my field with its timestamp