topic Re: latest in Splunk Search

latest

vinod0313 — Tue, 25 Aug 2020 17:04:38 GMT

Hello

I have below logs in last 60 mins

log1: ABC=1,DEF=2,GHI=3

log2:ABC=0,DEF=0,GHI=3

while executing my query for last 60 mins

i am getting below result

ABC=1,DEF=2,GHI=3
ABC=0,DEF=0,GHI=0

But i want only latest log result as like below

ABC=1,DEF=2,GHI=3

Re: latest

richgalloway — Tue, 25 Aug 2020 17:42:28 GMT

Check out the dedup command.

Re: latest

vinod0313 — Tue, 25 Aug 2020 17:44:00 GMT

where should i use this command

Re: latest

ITWhisperer — Tue, 25 Aug 2020 17:46:07 GMT

... | head 1

Re: latest

richgalloway — Tue, 25 Aug 2020 19:22:45 GMT

Put it at the end of your current search.

Re: latest

vinod0313 — Wed, 26 Aug 2020 04:17:23 GMT

I kept dedup command at the end but it didnt worked

Re: latest

vinod0313 — Wed, 26 Aug 2020 05:25:06 GMT

could any please help me to find the solution.

Re: latest

ITWhisperer — Wed, 26 Aug 2020 07:49:23 GMT

Try limiting the number of events with head

index="cx_aws" source="notification-service" | head 1 | spath ...

I am not sure if this is the right query but it seems to be the one from your image. The point is that head will reduce the number of events from the base search, in this case to 1 i.e. the latest event