https://community.splunk.com/t5/Splunk-Search/finding-the-most-recent-sourcetype-hardware-similar-to-metadata/m-p/58465#M14308 <P>i think this should do it, I will try this. thank you very much.</P> Sat, 23 Mar 2013 18:42:57 GMT lemikg 2013-03-23T18:42:57Z https://community.splunk.com/t5/Splunk-Search/finding-the-most-recent-sourcetype-hardware-similar-to-metadata/m-p/58461#M14304 <P>Hello everyone,</P> <P>in my dashboard I have a table displaying the hardware configuration of a server and several other searches. So this is what I do, I pick a host, a timerange and hit search.<BR /> Depending on the timerange the desired table shows no results.</P> <P>Is there a way to search for the most recent event of that stream / <CODE>sourcetype=hardware</CODE> where the hardware information was logged?</P> <P>Thanks for your help.</P> <P>regards<BR /> mike</P> Tue, 12 Mar 2013 12:04:43 GMT https://community.splunk.com/t5/Splunk-Search/finding-the-most-recent-sourcetype-hardware-similar-to-metadata/m-p/58461#M14304 lemikg 2013-03-12T12:04:43Z https://community.splunk.com/t5/Splunk-Search/finding-the-most-recent-sourcetype-hardware-similar-to-metadata/m-p/58462#M14305 <P>You could increase your timerange and use <CODE>|head 1</CODE>. This returns the most recent in the timerange. You could also use a lookup generator. Run it every hour and then just lookup the host you want from the table. </P> <P>In transforms.conf put:</P> <P><CODE>[hardware]<BR /> filename = hardware.csv</CODE></P> <P>Then populate the lookup (Run this as a scheduled search every hour, 30 minutes, 5 minutes, whatever you feel is appropriate to get the required data):</P> <P><CODE>sourcetype=hardware | inputlookup hardware append=t | stats latest(*) as * by host | outputlookup hardware</CODE></P> <P>Then in your search you can do:</P> <P><CODE>your_search | lookup hardware host | do_things_with_hardware</CODE></P> <P>Ref:<BR /> <CODE><A href="http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/Lookup" target="test_blank">http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/Lookup</A><BR /> <A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Inputlookup" target="test_blank">http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Inputlookup</A><BR /> <A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Outputlookup" target="test_blank">http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Outputlookup</A></CODE></P> Tue, 12 Mar 2013 12:19:45 GMT https://community.splunk.com/t5/Splunk-Search/finding-the-most-recent-sourcetype-hardware-similar-to-metadata/m-p/58462#M14305 alacercogitatus 2013-03-12T12:19:45Z https://community.splunk.com/t5/Splunk-Search/finding-the-most-recent-sourcetype-hardware-similar-to-metadata/m-p/58463#M14306 <P>hi alacercogitatus, thanks for your reply. I was thinking of the lookup too and is probably the easiest way. I wanted to avoid increasing the timerange but Due to the number of searches in that particular view and userfriendliness I hoped to find another way of solving this.</P> <P>From what I understand the metadata searches over time ie. indepently from the set timerange.</P> <P>I was hoping to find something similar. Do you have something in that direction on your mind?</P> Tue, 12 Mar 2013 13:42:40 GMT https://community.splunk.com/t5/Splunk-Search/finding-the-most-recent-sourcetype-hardware-similar-to-metadata/m-p/58463#M14306 lemikg 2013-03-12T13:42:40Z https://community.splunk.com/t5/Splunk-Search/finding-the-most-recent-sourcetype-hardware-similar-to-metadata/m-p/58464#M14307 <P>Well, you could use the timestamps in the metadata and do a second search.</P> <P><CODE>|append [|metadata type=sourcetypes sourcetype=hardware|eval et=lastTime - (60*10)|convert timeformat="%m/%d/%Y:%H:%M:%S" ctime(et) as et|map search="search sourcetype=hardware earliest=$et$|head 1"]</CODE></P> <P>This will return the events of the sourcetype.</P> Tue, 12 Mar 2013 14:01:26 GMT https://community.splunk.com/t5/Splunk-Search/finding-the-most-recent-sourcetype-hardware-similar-to-metadata/m-p/58464#M14307 alacercogitatus 2013-03-12T14:01:26Z https://community.splunk.com/t5/Splunk-Search/finding-the-most-recent-sourcetype-hardware-similar-to-metadata/m-p/58465#M14308 <P>i think this should do it, I will try this. thank you very much.</P> Sat, 23 Mar 2013 18:42:57 GMT https://community.splunk.com/t5/Splunk-Search/finding-the-most-recent-sourcetype-hardware-similar-to-metadata/m-p/58465#M14308 lemikg 2013-03-23T18:42:57Z