https://community.splunk.com/t5/Getting-Data-In/How-to-get-results-only-from-the-last-source-file/m-p/242096#M46936 <P>Yes!! In my case I have solved with head comand:</P> <P>index=index1 source="file.csv" Status="Active" [search index=index1 source="file.csv" | dedup _time | head 1 | return _time] |...</P> Tue, 14 Nov 2017 12:33:55 GMT jul1an 2017-11-14T12:33:55Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-results-only-from-the-last-source-file/m-p/242085#M46925 <P>Hi,</P> <P>I got an index which continuously receive new source file automatically, what I want is to my search to only return events from the last source file. Should be something simple but I did not figure it out, maybe with the |head command.</P> Fri, 20 Nov 2015 15:12:37 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-results-only-from-the-last-source-file/m-p/242085#M46925 bruno_eduardo 2015-11-20T15:12:37Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-results-only-from-the-last-source-file/m-p/242086#M46926 <P>Like this (replace <CODE>...</CODE> with the exact same base search; yes, twice):</P> <PRE><CODE>... [ ... | stats latest(source) AS source ] </CODE></PRE> Fri, 20 Nov 2015 15:37:16 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-results-only-from-the-last-source-file/m-p/242086#M46926 woodcock 2015-11-20T15:37:16Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-results-only-from-the-last-source-file/m-p/242087#M46927 <P>Thanks!!!!</P> Fri, 20 Nov 2015 15:44:00 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-results-only-from-the-last-source-file/m-p/242087#M46927 bruno_eduardo 2015-11-20T15:44:00Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-results-only-from-the-last-source-file/m-p/242088#M46928 <P>What about the Before Last?</P> Fri, 20 Nov 2015 15:56:28 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-results-only-from-the-last-source-file/m-p/242088#M46928 bruno_eduardo 2015-11-20T15:56:28Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-results-only-from-the-last-source-file/m-p/242089#M46929 <P>Like this:</P> <PRE><CODE>... NOT [ ... | stats latest(source) AS source ] </CODE></PRE> Fri, 20 Nov 2015 16:07:41 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-results-only-from-the-last-source-file/m-p/242089#M46929 woodcock 2015-11-20T16:07:41Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-results-only-from-the-last-source-file/m-p/242090#M46930 <P>But I mean before last source file only</P> Fri, 20 Nov 2015 16:34:40 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-results-only-from-the-last-source-file/m-p/242090#M46930 bruno_eduardo 2015-11-20T16:34:40Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-results-only-from-the-last-source-file/m-p/242091#M46931 <P>Did you try it? That's what it does.</P> Fri, 20 Nov 2015 16:52:23 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-results-only-from-the-last-source-file/m-p/242091#M46931 woodcock 2015-11-20T16:52:23Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-results-only-from-the-last-source-file/m-p/242092#M46932 <P>Yes I tried, I have 20 source files for this index and when I do this I got 19, every each of them except the last one. What I need is only the 19th one. I already got the 20th with your answer, just need the before last.</P> Fri, 20 Nov 2015 17:30:32 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-results-only-from-the-last-source-file/m-p/242092#M46932 bruno_eduardo 2015-11-20T17:30:32Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-results-only-from-the-last-source-file/m-p/242093#M46933 <P>Like this:</P> <PRE><CODE>... [ ... | dedup source | reverse | list(source) AS source| eval source=mvindex(source,1) ] </CODE></PRE> <P>You can then adjust the <CODE>1</CODE> to whichever one you would like.</P> Sat, 21 Nov 2015 02:02:31 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-results-only-from-the-last-source-file/m-p/242093#M46933 woodcock 2015-11-21T02:02:31Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-results-only-from-the-last-source-file/m-p/242094#M46934 <P>That is really great but don't solve the problem, This search would only help if I had a fixed number of source files, the problems is: The index continuously receive new source file automatically, so I would need to change the search every time.</P> Mon, 23 Nov 2015 14:48:05 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-results-only-from-the-last-source-file/m-p/242094#M46934 bruno_eduardo 2015-11-23T14:48:05Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-results-only-from-the-last-source-file/m-p/242095#M46935 <P>Sorry it worked, without the |reverse, look:</P> <P>index="myindex" [search index="myindex" | dedup source |stats list(source) AS source| eval source=mvindex(source,2) ]</P> <P>this bring myu before last source file events.</P> <P>Thanks</P> Mon, 23 Nov 2015 14:57:45 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-results-only-from-the-last-source-file/m-p/242095#M46935 bruno_eduardo 2015-11-23T14:57:45Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-results-only-from-the-last-source-file/m-p/242096#M46936 <P>Yes!! In my case I have solved with head comand:</P> <P>index=index1 source="file.csv" Status="Active" [search index=index1 source="file.csv" | dedup _time | head 1 | return _time] |...</P> Tue, 14 Nov 2017 12:33:55 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-results-only-from-the-last-source-file/m-p/242096#M46936 jul1an 2017-11-14T12:33:55Z