topic Re: How do i filter out all but the most recent results for a particular field in Splunk Search

How do i filter out all but the most recent results for a particular field

musgrape — Tue, 16 Jun 2015 02:56:17 GMT

I'd like to create a search that allows me to filter out all the old results and only give me back the latest result for a given field value.
How can I do this? (similar to the latest in the stats command but for the actual results)

For example given the following results:
2015-05-01 Version:1.34 user:b
2015-04-01 Version:1.2 user:a
2015-03-03 Version: 1.34 user:a
2015-02-03 Version: 1.2 user:b

I only want to see the following:
2015-04-01 Version:1.2 user:a
2015-05-01 Version:1.34 user:b

i.e. I only want to see the latest version per user.

Re: How do i filter out all but the most recent results for a particular field

woodcock — Tue, 16 Jun 2015 03:21:47 GMT

Like this:

... | dedup user

Re: How do i filter out all but the most recent results for a particular field

cmeinco — Tue, 16 Jun 2015 03:28:31 GMT

use the last function:

stats last(version) by user

http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/CommonStatsFunctions

Re: How do i filter out all but the most recent results for a particular field

musgrape — Tue, 16 Jun 2015 05:26:08 GMT

Perfect thanks. This worked for me:
dedup user sortby -_time | table...