topic Re: How to get results only from latest source file of particular sourcetype in Splunk Search

How to get results only from latest source file of particular sourcetype

avni26 — Wed, 30 Sep 2020 02:38:06 GMT

HI,
I got an index which send data to sourcetype with new source file every week.
what I want is to my dashboard search query only return events from the latest source file.
For example , my index is - index_sdx2 sourctype is -- splunk_data and there are multiple sources inside this sourcetype like data1.csv data1_10082019.csv data1_11102019.csv
And I want to take only data from latest source , that is all events from source= data1_11102019.csv
I tried like below
index="index_sdx2" sourcetype=splunk_data |eventstats first(_time) as time | where _time==time
But its not giving all data from source data1_11102019.csv
please suggest.

Re: How to get results only from latest source file of particular sourcetype

knielsen — Wed, 16 Oct 2019 09:21:57 GMT

I think

index="index_sdx2" sourcetype=splunk_data [search index="index_sdx2" sourcetype=splunk_data | head 1 | fields source]

should work.

Re: How to get results only from latest source file of particular sourcetype

avni26 — Wed, 16 Oct 2019 09:36:28 GMT

@knielsen, yes its working.Thank you. But performance is slow. Its taking too much time load in dashboard.