topic Re: How can I get query only the last ten files from each device regardless of time range? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-can-I-get-query-only-the-last-ten-files-from-each-device/m-p/351869#M175173 <P>Thank you kat54! That works great. I was using a field that goes up by one for each subsequent sample run or "file": source|stats first("Service Counter") as frst last("Service Counter") as lst by "instr_id" |eval Range=(frst - lst) |where Range&lt;10</P> <P>The problem is that I want to have all ten most recent files for each device, then perform stats on the results (essentially filter the results and find the median, mean, or certain fields, as well the count of fields out of those ten files that meet the filtering requirements. I tried doing a join to the solution you gave me and the one I had come up with (yours is much more elegant and I have found a workaround using it). I am really new to Splunk and need some more time to test one more idea, but for now, I can export the solution you provided with the fields I need to perform stats on to Excel or SAS and do the refining there. Make sense? I'm not sure how much detail to go into. </P> Mon, 13 Mar 2017 02:15:51 GMT peterh26 2017-03-13T02:15:51Z How can I get query only the last ten files from each device regardless of time range? https://community.splunk.com/t5/Splunk-Search/How-can-I-get-query-only-the-last-ten-files-from-each-device/m-p/351867#M175171 <P>I am looking at 10,000 devices and want to look at the last ten files each one has produced. Some will create 100 files a day, some 10 files per week, so I cannot use date, I need to be able to get a count out of the last ten files that violate specific criteria.</P> Sun, 12 Mar 2017 08:45:31 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-get-query-only-the-last-ten-files-from-each-device/m-p/351867#M175171 peterh26 2017-03-12T08:45:31Z Re: How can I get query only the last ten files from each device regardless of time range? https://community.splunk.com/t5/Splunk-Search/How-can-I-get-query-only-the-last-ten-files-from-each-device/m-p/351868#M175172 <P>index=yourIndexName [index=yourIndexName | dedup host | fields host | return host] | dedup 10 source</P> <P>Unfortunately there is a limitation of 10,000 on subsearches I believe. Besides this next one might be exactly what you need.</P> <P>index=yourIndexName | dedup 10 host source | table host source | sort 0 host</P> <P>Events returned by dedup are based on search order. For historical searches, the most recent events are searched first. For real-time searches, the first events that are received are search, which are not necessarily the most recent events.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Dedup">http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Dedup</A></P> Sun, 12 Mar 2017 17:41:50 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-get-query-only-the-last-ten-files-from-each-device/m-p/351868#M175172 jkat54 2017-03-12T17:41:50Z Re: How can I get query only the last ten files from each device regardless of time range? https://community.splunk.com/t5/Splunk-Search/How-can-I-get-query-only-the-last-ten-files-from-each-device/m-p/351869#M175173 <P>Thank you kat54! That works great. I was using a field that goes up by one for each subsequent sample run or "file": source|stats first("Service Counter") as frst last("Service Counter") as lst by "instr_id" |eval Range=(frst - lst) |where Range&lt;10</P> <P>The problem is that I want to have all ten most recent files for each device, then perform stats on the results (essentially filter the results and find the median, mean, or certain fields, as well the count of fields out of those ten files that meet the filtering requirements. I tried doing a join to the solution you gave me and the one I had come up with (yours is much more elegant and I have found a workaround using it). I am really new to Splunk and need some more time to test one more idea, but for now, I can export the solution you provided with the fields I need to perform stats on to Excel or SAS and do the refining there. Make sense? I'm not sure how much detail to go into. </P> Mon, 13 Mar 2017 02:15:51 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-get-query-only-the-last-ten-files-from-each-device/m-p/351869#M175173 peterh26 2017-03-13T02:15:51Z Re: How can I get query only the last ten files from each device regardless of time range? https://community.splunk.com/t5/Splunk-Search/How-can-I-get-query-only-the-last-ten-files-from-each-device/m-p/351870#M175174 <P>The dedup 10 will give the latest 10 results assuming timestamps are correctly ordered.</P> Mon, 13 Mar 2017 19:59:54 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-get-query-only-the-last-ten-files-from-each-device/m-p/351870#M175174 jkat54 2017-03-13T19:59:54Z Re: How can I get query only the last ten files from each device regardless of time range? https://community.splunk.com/t5/Splunk-Search/How-can-I-get-query-only-the-last-ten-files-from-each-device/m-p/351871#M175175 <P>thanks again, this has been an incredibly helpful tool in my analysis, much appreciated <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> </P> Mon, 20 Mar 2017 04:58:05 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-get-query-only-the-last-ten-files-from-each-device/m-p/351871#M175175 peterh26 2017-03-20T04:58:05Z