https://community.splunk.com/t5/Getting-Data-In/Most-recent-set-of-events/m-p/84163#M17474 <P>Hello,</P> <P>Some time ago I was looking for a way to search for <A href="http://splunk-base.splunk.com/answers/40186/last-events-in-a-timeframe">events grouped around a date</A> but I think it was an overkill. I changed the format of my events to include a creation time which is a timestamp (epoch) identical for all events which happened "at the same time".</P> <P>What would be the splunk way to search for "events where TIMESTAMP=max(all TIMESTAMPs)". In other words I have, say, 3 groups of 100 events with a unique timestamp per group. I would like to display only the 100 events of the last group which has the largest timestamp.</P> <P>Thank you!</P> Mon, 05 Mar 2012 15:22:13 GMT wsw70 2012-03-05T15:22:13Z https://community.splunk.com/t5/Getting-Data-In/Most-recent-set-of-events/m-p/84163#M17474 <P>Hello,</P> <P>Some time ago I was looking for a way to search for <A href="http://splunk-base.splunk.com/answers/40186/last-events-in-a-timeframe">events grouped around a date</A> but I think it was an overkill. I changed the format of my events to include a creation time which is a timestamp (epoch) identical for all events which happened "at the same time".</P> <P>What would be the splunk way to search for "events where TIMESTAMP=max(all TIMESTAMPs)". In other words I have, say, 3 groups of 100 events with a unique timestamp per group. I would like to display only the 100 events of the last group which has the largest timestamp.</P> <P>Thank you!</P> Mon, 05 Mar 2012 15:22:13 GMT https://community.splunk.com/t5/Getting-Data-In/Most-recent-set-of-events/m-p/84163#M17474 wsw70 2012-03-05T15:22:13Z https://community.splunk.com/t5/Getting-Data-In/Most-recent-set-of-events/m-p/84164#M17475 <P>Since Splunk always delivers the most recent results first, and since you've set up timestamping for the events to be based on your creation timestamp, you can use streamstats and head to terminate the search as soon as it has seen more than one timestamp:</P> <PRE><CODE>... | streamstats dc(_time) as distinct_times | head (distinct_times == 1) </CODE></PRE> Mon, 05 Mar 2012 16:50:32 GMT https://community.splunk.com/t5/Getting-Data-In/Most-recent-set-of-events/m-p/84164#M17475 Stephen_Sorkin 2012-03-05T16:50:32Z https://community.splunk.com/t5/Getting-Data-In/Most-recent-set-of-events/m-p/84165#M17476 <P>Thank you - works just great. Would you know if there is a way to access the second last, third last, etc. set of events (based on the same kind of timestamp)?</P> Tue, 13 Mar 2012 14:42:21 GMT https://community.splunk.com/t5/Getting-Data-In/Most-recent-set-of-events/m-p/84165#M17476 wsw70 2012-03-13T14:42:21Z https://community.splunk.com/t5/Getting-Data-In/Most-recent-set-of-events/m-p/84166#M17477 <P>You can access the second batch by changing the head predicate to <CODE>(distinct_times &lt;= 2)</CODE> and follow that with <CODE>| search distinct_times = 2</CODE> to pick the second batch. The same is true for the n-th set.</P> Tue, 13 Mar 2012 15:00:47 GMT https://community.splunk.com/t5/Getting-Data-In/Most-recent-set-of-events/m-p/84166#M17477 Stephen_Sorkin 2012-03-13T15:00:47Z https://community.splunk.com/t5/Getting-Data-In/Most-recent-set-of-events/m-p/84167#M17478 <P>This works great, however is there a way to do this split by a variable? What I mean is I have a set of events each with a common time, but for multiple servers. I want to get the latest set of events by server.</P> <P>Something like:</P> <P>... | streamstats dc(_time) as distinct_times by server | head (distinct_times == 1)</P> <P>I have played around with various permutations of the above, but cannot get it to do what I want.</P> Mon, 28 Sep 2020 16:41:29 GMT https://community.splunk.com/t5/Getting-Data-In/Most-recent-set-of-events/m-p/84167#M17478 nvonkorff 2020-09-28T16:41:29Z https://community.splunk.com/t5/Getting-Data-In/Most-recent-set-of-events/m-p/84168#M17479 <P>Great tip! Don't forget you can use the <CODE>reverse</CODE> command before <CODE>streamstats</CODE> as well.</P> Fri, 13 Nov 2015 20:07:43 GMT https://community.splunk.com/t5/Getting-Data-In/Most-recent-set-of-events/m-p/84168#M17479 bnorthway 2015-11-13T20:07:43Z