https://community.splunk.com/t5/Splunk-Search/Show-last-update-from-indexed-csv-file/m-p/552365#M156774 <P>Yup, that did the trick.&nbsp;</P><P>Thanks mate!</P> Thu, 20 May 2021 10:21:31 GMT jugarugabi 2021-05-20T10:21:31Z https://community.splunk.com/t5/Splunk-Search/Show-last-update-from-indexed-csv-file/m-p/552346#M156761 <P>Hi,&nbsp;</P><P>I have a csv file that is updated by a script once a minute.&nbsp;<BR />The output is similar to:&nbsp;</P><P>time,queuename,vpn,last-message-id-spooled,max-message-size-exceeded,total-messages-spooled,num-messages-spooled,current-spool-usage-in-mb,bind-count,recordsinperiod,eol<BR />2021-05-20_10-20,q.static.prp.solacequeue, test_uat_de, 117446717393, 0, 40340019 , 0, 0, 25 ,0,eol<BR />2021-05-20_10-20,q.static.prp.solacequeue-number2, test_uat_de, 117493, 0, 4039 , 0, 0, 25 ,0,eol<BR />2021-05-20_10-19,q.static.prp.solacequeue, test_uat_de, 0, 0, 0 , 0, 0, 0 ,0,eol<BR />2021-05-20_10-19,q.static.prp.solacequeue-number2, test_uat_de, 0, 0, 0 , 0, 0, 0 ,0,eol</P><P>Now, I want to create a search query that will show only the last update in the csv file and show me the result like this:&nbsp;</P><P>q.static.prp.solacequeue, test_uat_de, 117446717393, 0, 40340019 , 0, 0, 25 ,0,eol<BR />q.static.prp.solacequeue-number2, test_uat_de, 117493, 0, 4039 , 0, 0, 25 ,0,eol</P><P>Tried using the search below, but the output still shows everything that happened during the day, instead those only 2 lines.&nbsp;</P><PRE>index=* sourcetype=queues <BR />| stats latest(time) by time queuename last_message_id_spooled current_spool_usage_in_mb bind_count recordsinperiod</PRE><P>&nbsp; What am I missing?</P><P>Thanks,<BR />Gabriel</P> Thu, 20 May 2021 08:30:49 GMT https://community.splunk.com/t5/Splunk-Search/Show-last-update-from-indexed-csv-file/m-p/552346#M156761 jugarugabi 2021-05-20T08:30:49Z https://community.splunk.com/t5/Splunk-Search/Show-last-update-from-indexed-csv-file/m-p/552356#M156767 <P>Will this work for you?</P><LI-CODE lang="markup">index=* sourcetype=queues | stats latest(*) as * by queuename</LI-CODE> Thu, 20 May 2021 09:33:14 GMT https://community.splunk.com/t5/Splunk-Search/Show-last-update-from-indexed-csv-file/m-p/552356#M156767 ITWhisperer 2021-05-20T09:33:14Z https://community.splunk.com/t5/Splunk-Search/Show-last-update-from-indexed-csv-file/m-p/552359#M156770 <P>Thanks - that simple...</P><P>One more question: the line with the header is added as well to the results.<BR />How can I remove that particular line and provide me only the information without the header that can be found in the csv file?</P> Thu, 20 May 2021 09:46:42 GMT https://community.splunk.com/t5/Splunk-Search/Show-last-update-from-indexed-csv-file/m-p/552359#M156770 jugarugabi 2021-05-20T09:46:42Z https://community.splunk.com/t5/Splunk-Search/Show-last-update-from-indexed-csv-file/m-p/552361#M156772 <P>if you are using inputlookup to read the csv file you can use the start=1 argument. If you already have ingested it into an index, you could use | where time!="time"</P> Thu, 20 May 2021 09:55:37 GMT https://community.splunk.com/t5/Splunk-Search/Show-last-update-from-indexed-csv-file/m-p/552361#M156772 ITWhisperer 2021-05-20T09:55:37Z https://community.splunk.com/t5/Splunk-Search/Show-last-update-from-indexed-csv-file/m-p/552365#M156774 <P>Yup, that did the trick.&nbsp;</P><P>Thanks mate!</P> Thu, 20 May 2021 10:21:31 GMT https://community.splunk.com/t5/Splunk-Search/Show-last-update-from-indexed-csv-file/m-p/552365#M156774 jugarugabi 2021-05-20T10:21:31Z