topic Re: How to retrieve events from the most recent day in which there are events present? in Splunk Search

How to retrieve events from the most recent day in which there are events present?

tgittelmacher — Mon, 24 Jul 2017 20:19:49 GMT

I have a small number of events (around 4 or 5) being generated each day Monday through Friday. I would like my search to return the most recent weekday's events. However, if I use a simple "Today" relative search, and the search is run on a Saturday or Sunday, no results will appear. Instead, it should grab the preceding Friday's events . Is there a simple way to do this I'm missing?

For instance, on Thursday July 20th, only the events that occurred that day will appear. On Friday, only those on July 21st. On Saturday the 22nd or Sunday the 23rd, only the events from Friday July 21st show up. Then, on Monday July 24th, the events from Monday the 24th appear.

Re: How to retrieve events from the most recent day in which there are events present?

DalJeanis — Mon, 24 Jul 2017 22:55:27 GMT

There are a number of ways, and with this small number of events, any of them are fine

earliest=-4d@d latest=@d   your search for the events 
| bin _time as theDate span=1d
| eventstats max(theDate) as maxDate 
| where theDate=maxDate
| fields - theDate maxDate

Re: How to retrieve events from the most recent day in which there are events present?

tgittelmacher — Wed, 16 Aug 2017 20:30:43 GMT

Seems to work like a charm. Much appreciated.