https://community.splunk.com/t5/Splunk-Search/How-to-work-on-the-latest-event-only/m-p/447806#M169058 <P>try <CODE>head</CODE> command:<BR /> Returns the first N number of specified results in search order</P> <PRE><CODE>... | head 1 </CODE></PRE> Wed, 06 Jun 2018 12:57:17 GMT 493669 2018-06-06T12:57:17Z https://community.splunk.com/t5/Splunk-Search/How-to-work-on-the-latest-event-only/m-p/447805#M169057 <P>I have my query ready which essentially extracts some fields and displays in a table.<BR /> But I want to work on the latest event only. <BR /> How do I put condition so that my query only works on the latest one event?</P> Wed, 06 Jun 2018 12:52:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-work-on-the-latest-event-only/m-p/447805#M169057 zacksoft 2018-06-06T12:52:12Z https://community.splunk.com/t5/Splunk-Search/How-to-work-on-the-latest-event-only/m-p/447806#M169058 <P>try <CODE>head</CODE> command:<BR /> Returns the first N number of specified results in search order</P> <PRE><CODE>... | head 1 </CODE></PRE> Wed, 06 Jun 2018 12:57:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-work-on-the-latest-event-only/m-p/447806#M169058 493669 2018-06-06T12:57:17Z https://community.splunk.com/t5/Splunk-Search/How-to-work-on-the-latest-event-only/m-p/447807#M169059 <PRE><CODE>|sort _time |head 1 </CODE></PRE> Wed, 06 Jun 2018 13:01:50 GMT https://community.splunk.com/t5/Splunk-Search/How-to-work-on-the-latest-event-only/m-p/447807#M169059 harishalipaka 2018-06-06T13:01:50Z https://community.splunk.com/t5/Splunk-Search/How-to-work-on-the-latest-event-only/m-p/447808#M169060 <P>Is |sort _time necessary ?<BR /> Won't |head 1 alone will do the job?<BR /> Just confirming.</P> Wed, 06 Jun 2018 13:05:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-work-on-the-latest-event-only/m-p/447808#M169060 zacksoft 2018-06-06T13:05:26Z https://community.splunk.com/t5/Splunk-Search/How-to-work-on-the-latest-event-only/m-p/447809#M169061 <P>If it is realtime data it will come updated with head 1 ..or it is saved data it will directly give top of the value head 1 in this situation you have to sort _time than you will get top value as updated. </P> Wed, 06 Jun 2018 13:07:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-work-on-the-latest-event-only/m-p/447809#M169061 harishalipaka 2018-06-06T13:07:31Z https://community.splunk.com/t5/Splunk-Search/How-to-work-on-the-latest-event-only/m-p/447810#M169062 <P>even if there are duplicates, using <CODE>head 1</CODE> it will took latest one</P> Wed, 06 Jun 2018 13:12:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-work-on-the-latest-event-only/m-p/447810#M169062 493669 2018-06-06T13:12:49Z https://community.splunk.com/t5/Splunk-Search/How-to-work-on-the-latest-event-only/m-p/447811#M169063 <P>below example explain how it is works .</P> <PRE><CODE>| makeresults | eval A=45 | eval DateHour="2018-06-06 18:47:22.820" | append [| makeresults | eval A=30 | eval DateHour="2018-06-06 18:45:22.820" ] | append [| makeresults | eval A=50 | eval DateHour="2018-06-06 18:57:22.000" ] | fields - _time | head 1 </CODE></PRE> Wed, 06 Jun 2018 13:21:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-work-on-the-latest-event-only/m-p/447811#M169063 harishalipaka 2018-06-06T13:21:46Z