https://community.splunk.com/t5/Getting-Data-In/Searching-most-recent-events-with-the-same-time/m-p/69420#M14072 <P>Ok we are currently receiving two sets of data a preliminary version (received first) and a finalised version (received later). Both sets of data are identical and have the same _time values after import into the same sourcetype.</P> <P>When performing calculations we only want to get the most recent value for that time.</P> <P><STRONG>Prelim data</STRONG></P> <PRE><CODE>UID, In Date, Update Time, Vol, Corr Vol 453,May 1 2012 6:00AM,May 2 2012 3:24PM,133,223.000000000 453,May 1 2012 7:00AM,May 2 2012 3:24PM,104,175.000000000 453,May 1 2012 8:00AM,May 2 2012 3:24PM,90,152.000000000 </CODE></PRE> <P><STRONG>Final data</STRONG></P> <PRE><CODE>UID, In Date, Update Time, Vol, Corr Vol 453,May 1 2012 6:00AM,May 2 2012 3:24PM,140,223.000000000 453,May 1 2012 7:00AM,May 2 2012 3:24PM,110,175.000000000 453,May 1 2012 8:00AM,May 2 2012 3:24PM,93,152.000000000 </CODE></PRE> <P>Now I know I can use the search and it will get the most recent version</P> <PRE><CODE>sourcetype="Flow" UID=452 | dedup _time </CODE></PRE> <P>Now while this works it is undocumented and we would hate for such a 'feature' to be changed and then break the Splunk app we are developing.</P> <P>Can someone confirm this is the only way to achieve this or is there a better way?</P> Tue, 25 Sep 2012 06:06:10 GMT phoenixdigital 2012-09-25T06:06:10Z https://community.splunk.com/t5/Getting-Data-In/Searching-most-recent-events-with-the-same-time/m-p/69420#M14072 <P>Ok we are currently receiving two sets of data a preliminary version (received first) and a finalised version (received later). Both sets of data are identical and have the same _time values after import into the same sourcetype.</P> <P>When performing calculations we only want to get the most recent value for that time.</P> <P><STRONG>Prelim data</STRONG></P> <PRE><CODE>UID, In Date, Update Time, Vol, Corr Vol 453,May 1 2012 6:00AM,May 2 2012 3:24PM,133,223.000000000 453,May 1 2012 7:00AM,May 2 2012 3:24PM,104,175.000000000 453,May 1 2012 8:00AM,May 2 2012 3:24PM,90,152.000000000 </CODE></PRE> <P><STRONG>Final data</STRONG></P> <PRE><CODE>UID, In Date, Update Time, Vol, Corr Vol 453,May 1 2012 6:00AM,May 2 2012 3:24PM,140,223.000000000 453,May 1 2012 7:00AM,May 2 2012 3:24PM,110,175.000000000 453,May 1 2012 8:00AM,May 2 2012 3:24PM,93,152.000000000 </CODE></PRE> <P>Now I know I can use the search and it will get the most recent version</P> <PRE><CODE>sourcetype="Flow" UID=452 | dedup _time </CODE></PRE> <P>Now while this works it is undocumented and we would hate for such a 'feature' to be changed and then break the Splunk app we are developing.</P> <P>Can someone confirm this is the only way to achieve this or is there a better way?</P> Tue, 25 Sep 2012 06:06:10 GMT https://community.splunk.com/t5/Getting-Data-In/Searching-most-recent-events-with-the-same-time/m-p/69420#M14072 phoenixdigital 2012-09-25T06:06:10Z https://community.splunk.com/t5/Getting-Data-In/Searching-most-recent-events-with-the-same-time/m-p/69421#M14073 <P>What is undocumented? <CODE>dedup _time</CODE>? While I guess that PARTICULAR usage example for <CODE>dedup</CODE> might not be explicitly stated in the docs, both the <CODE>dedup</CODE> command and the <CODE>_time</CODE> field are definitely not going anywhere soon.</P> <P>But, I don't know if there's any guarantee that given two events with identical timestamp, Splunk is going to choose the newest one. I would consider differentiating the events using the field it would check anyway to see which event is newer - <CODE>_indextime</CODE>, which is what it says...a field containing the time (in epoch format) when Splunk indexed an event.</P> Tue, 25 Sep 2012 06:20:43 GMT https://community.splunk.com/t5/Getting-Data-In/Searching-most-recent-events-with-the-same-time/m-p/69421#M14073 Ayn 2012-09-25T06:20:43Z https://community.splunk.com/t5/Getting-Data-In/Searching-most-recent-events-with-the-same-time/m-p/69422#M14074 <P>Thankyou _indextime would be perfect.</P> <P>I wasn't thinking dedup was undocumented or would go away but more that the way it behaved with _time might change. That was the undocumented part I was referring to.</P> <PRE><CODE>sourcetype="Flow" UID = 453 | dedup _time sortby -_indextime </CODE></PRE> <P>will give consistent results.</P> Tue, 25 Sep 2012 06:30:54 GMT https://community.splunk.com/t5/Getting-Data-In/Searching-most-recent-events-with-the-same-time/m-p/69422#M14074 phoenixdigital 2012-09-25T06:30:54Z