topic Re: How to write a search that returns the most recent event for a sourcetype on every host? in Splunk Search

How to write a search that returns the most recent event for a sourcetype on every host?

chadman — Thu, 09 Apr 2015 15:08:12 GMT

I have a csv file on every computer and need to just search the last event for eveyy host. I can't get a search to work without searching every event on every host. I have used dedup, but it still searches every host.

Re: How to write a search that returns the most recent event for a sourcetype on every host?

bwooden — Thu, 09 Apr 2015 15:57:31 GMT

Here is an expensive way with ugly output using the map command

| stats count 
| eval host="host_a,host_b,host_c" 
| makemv delim="," host 
| mvexpand host 
| map search="search host=$host$ | head 1 "

Using your CSV file it might look like this...

| stats count 
| inputlookup=host_csv 
| map search="search host=$host$ | head 1 "

Better Solution

Actually, host info can be queried by metadata so this "Most recent event from each source?" answer from Ayn may be adapted to solve this problem more neatly.

Re: How to write a search that returns the most recent event for a sourcetype on every host?

chadman — Thu, 09 Apr 2015 16:24:19 GMT

Sorry, maybe I explained this incorrectly. I have a bunch of host that forward logs to Splunk in the form of a csv line every min. I want to do a search of every host, but only get the last line of the log that has been forwarded by the host. So instead of searching every event on each host, I just need to grab the last event for a sourcetype.

Re: How to write a search that returns the most recent event for a sourcetype on every host?

chadman — Mon, 28 Sep 2020 19:30:01 GMT

Here is what I use now and it works, but I think it's seaching every event. I only want it to look at the last event for every host to speed up the search. sourcetype="my source" | where Available_D < 100 | dedup host | sort Available_D a |table host,Available_D

Re: How to write a search that returns the most recent event for a sourcetype on every host?

dwaddle — Thu, 09 Apr 2015 21:22:52 GMT

I'd probably abstract this into a lookup file holding state. Specifically, keep in your lookup file the most recent event per host. When you update it incrementally, it is cheap -- and getting the current state from the lookup is super cheap.

A similar answer is here:

http://answers.splunk.com/answers/216701/how-to-send-an-alert-email-the-first-time-since-th.html

Re: How to write a search that returns the most recent event for a sourcetype on every host?

chadman — Tue, 14 Apr 2015 12:46:56 GMT

I tried that, but have not gotten it to work yet. I would think there would be an eaiser way to work with the last line from every host.

Re: How to write a search that returns the most recent event for a sourcetype on every host?

dwaddle — Tue, 14 Apr 2015 13:07:01 GMT

I will try to bake up a concrete example today/tonight of doing this via lookup. Check this space.

Re: How to write a search that returns the most recent event for a sourcetype on every host?

chadman — Wed, 15 Apr 2015 15:40:32 GMT

great, let me know if you come up with something

Re: How to write a search that returns the most recent event for a sourcetype on every host?

chimell — Wed, 15 Apr 2015 16:05:04 GMT

Hi chadman
to get last value of a host field you can use last() function with stats cammand

see the following serch code

    sourcetype="my source" | where Available_D < 100 | dedup host |stats last(host) as last_host| sort Available_D a |table  last_host  Available_D