https://community.splunk.com/t5/Splunk-Search/How-to-get-only-latests-events-from-an-events-set/m-p/474722#M133500 <P>Many thanks !</P> Tue, 10 Sep 2019 13:55:25 GMT julienlance 2019-09-10T13:55:25Z https://community.splunk.com/t5/Splunk-Search/How-to-get-only-latests-events-from-an-events-set/m-p/474720#M133498 <P>Hello Splunkers !</P> <P>We need your help, as we didn't found any answers solving our issue <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span><BR /> We will be so grateful <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>We have severals events coming from the same sourcetype, identifing source and VPN tunnels dest.<BR /> These events are sent by packets with the same "_time" value. Due to the network, the delay betwen those packets is random (could be few seconds or one hour).</P> <P>Here is an instance : <BR /> 2019-09-06 18:08:35 ServernameA dst-ip:10.10.10.10 tunnel-state:up<BR /> 2019-09-06 18:08:35 ServernameA dst-ip:10.10.2.2 tunnel-state:up<BR /> 2019-09-06 18:08:35 ServernameA dst-ip:10.10.2.3 tunnel-state:down<BR /> 2019-09-06 18:08:35 ServernameA dst-ip:10.10.2.4 tunnel-state:up<BR /> 2019-09-06 18:08:31 ServernameA dst-ip:10.10.10.10 tunnel-state:up<BR /> 2019-09-06 18:08:31 ServernameA dst-ip:10.10.2.2 tunnel-state:up<BR /> 2019-09-06 18:08:31 ServernameA dst-ip:10.10.2.3 tunnel-state:down<BR /> 2019-09-06 18:08:31 ServernameA dst-ip:10.10.2.4 tunnel-state:up<BR /> 2019-09-06 18:04:31 ServernameA dst-ip:10.10.10.10 tunnel-state:up<BR /> 2019-09-06 18:04:31 ServernameA dst-ip:10.10.2.2 tunnel-state:up<BR /> 2019-09-06 18:04:31 ServernameA dst-ip:10.10.2.3 tunnel-state:down<BR /> 2019-09-06 18:04:31 ServernameA dst-ip:10.10.2.4 tunnel-state:up</P> <P>We want to show in a table only the last events (here, events sent at 18:08:35).<BR /> First, we tried with the relative time-picker for 15mins or 60 mins. But as the delaying time betwen events is random, it's not working, both events are presented.</P> <P>In a second time, we tried with the "last" command, as the following example :<BR /> index="vpn-state" sourcetype="routers:json" hostname=ServernameA earliest =-900s<BR /> | stats last(_time) as last_time <BR /> | table _time,hostname,dst-ip,tunnel-state<BR /> | where _time ==last_time</P> <P>But that doesn't work too, probably a syntax error or because "stats" results can't be evaluated.</P> <P>Any clues for helping us ?<BR /> Many thanks !</P> Wed, 30 Sep 2020 02:06:16 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-only-latests-events-from-an-events-set/m-p/474720#M133498 julienlance 2020-09-30T02:06:16Z https://community.splunk.com/t5/Splunk-Search/How-to-get-only-latests-events-from-an-events-set/m-p/474721#M133499 <P><CODE>stats</CODE> results can indeed be evaluated. The problem in your example query is <CODE>stats</CODE> only returns one field, last_time, so _time, hostname, etc. are not available to <CODE>table</CODE>. That can be resolved by using <CODE>eventstats</CODE> in place of <CODE>stats</CODE>.</P> Tue, 10 Sep 2019 13:09:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-only-latests-events-from-an-events-set/m-p/474721#M133499 richgalloway 2019-09-10T13:09:24Z https://community.splunk.com/t5/Splunk-Search/How-to-get-only-latests-events-from-an-events-set/m-p/474722#M133500 <P>Many thanks !</P> Tue, 10 Sep 2019 13:55:25 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-only-latests-events-from-an-events-set/m-p/474722#M133500 julienlance 2019-09-10T13:55:25Z