Re: select latest timestamp of data and from secon...

michaelrosello · ‎08-17-2018

I have this data set of data coming in multiple times a day.

I want to select all the latest timestamp and the latest timestamp of second to last date.

On this example below I want to get all of data with timestamp of 2018-08-14 07:53:53.0(latest today) and 2018-08-14 07:53:53.0(latest second to last date)

Note that ingestion is not consistent and there might be days where no data will come in.

1   2018-08-10 19:58:24.0   
2   2018-08-11 01:14:43.0   
3   2018-08-11 03:22:09.0   
4   2018-08-11 06:28:03.0   
5   2018-08-11 08:01:30.0   
6   2018-08-11 09:08:25.0   
7   2018-08-12 03:21:44.0   
8   2018-08-12 23:52:02.0   
9   2018-08-14 00:39:34.0   
10  2018-08-14 03:09:33.0   
11  2018-08-14 06:21:39.0   
12  2018-08-14 07:53:53.0

horsefez · ‎08-17-2018

@michaelrosello

How about something like this

it's a bit weird, I give you that but it works
here is the query:

\< your base search\> | stats first(_time) AS first_time, last(_time) AS last_time by date_mday | eval first_time=strftime(first_time, "%y-%d-%m %H:%M:%S"), last_time=strftime(last_time, "%y-%d-%m %H:%M:%S") | rename first_time AS "Last Event", last_time AS "First Event" | table date_mday "First Event" "Last Event"

KailA · ‎08-17-2018

Hi,
First I have a question for you, is those data are in an index ? If yes, normally, you just have to do :
index=youIndex | head 3

If not, can you give us more detail on how you get those data ?

Kail

horsefez · ‎08-17-2018

what do you mean exactly by that?
On this example below I want to get all of data with timestamp of 2018-08-14 07:53:53.0(latest today) and 2018-08-14 07:53:53.0(latest second to last date)

do you mean (earliest) and (latest)??

select latest timestamp of data and from second to last date.

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio