- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Bring the last source of the index
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
good morning
Currently, for monitoring purposes, it is necessary to validate the states of certain indexes, and when validating that a state is NOK, show the data of the server and the last indexed file.
I have the following query, but it is valid that it brings me 2 files and not the last, the file that it brings from today has a different name.
| metasearch index=test sourcetype=test_2 source =/splunk/logs/*_ log
| stats last (_time) as recentTime by index sourcetype host source
| eval Time = strftime (recentTime, "% Y /% m /% d% H:% M:% S")
| fields - recentTime
index sourcetype host source Time
test test2 localhost /splunk/logs/20180425_log 2018/04/27 00:02:01
test test2 localhost /splunk/logs/20180426_log 2018/04/27 08:05:49
Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This line:
| stats last (_time) as recentTime by index sourcetype host source
asks Splunk to list every tuple of plus the latest timestamp seen for that tuple. In order to then present only the source with the most recent timestamp, you could do this:
| metasearch index=test sourcetype=test_2 source =/splunk/logs/*_ log
| stats last (_time) as recentTime by index sourcetype host source
| sort 1 - recentTime
| eval Time = strftime (recentTime, "% Y /% m /% d% H:% M:% S")
| fields - recentTime
The sort line will sort all events by the field recentTime in descending order (the most recent first), and present only the first result.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This line:
| stats last (_time) as recentTime by index sourcetype host source
asks Splunk to list every tuple of plus the latest timestamp seen for that tuple. In order to then present only the source with the most recent timestamp, you could do this:
| metasearch index=test sourcetype=test_2 source =/splunk/logs/*_ log
| stats last (_time) as recentTime by index sourcetype host source
| sort 1 - recentTime
| eval Time = strftime (recentTime, "% Y /% m /% d% H:% M:% S")
| fields - recentTime
The sort line will sort all events by the field recentTime in descending order (the most recent first), and present only the first result.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This makes no sense..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it is needed for monitoring issues to validate which is the last indexed file, since there are files that are generated every 1 hour and daily.
the information that I gave is from another query that validates only if there are or there are no events, and it is validating what the current state is.
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
