Archive

Find latest event(multiple sources) and use chart at the end in one query

Path Finder

index="test" | eval SCHEDULED_DELETIONS=case(
source="app1.csv" AND ACTION="SCHEDULED","CUSTOMER_ID",
source="app2.csv" AND ACTION="TO_DELETE","SUBSCRIPTION_ID",
source="app2.csv" AND APP_UNUMBER="U-500","ACCOUNT_ID",
source="app4.csv" AND STATUS="N","CUSTOMER_ID",)
| eval APPLICATION=case(source="app1.csv","APP1",source="app2","APP2",source="app2.csv" AND APP_UNUMBER="U-500","APP3",source="app4","APP4")
| chart count over APPLICATION by SCHEDULED_DELETIONS usenull=f

In each source the *_ID are duplicates because there are multiple events as some other field value changes. I want to find out latest event for each ID and remove duplicated from count.
I want to use latest(x) function. But could not form the query as stats latest(x) will loose all other fields. I tried using values() as "something" by "field name" but did not worked when tries for multiple sources in one query.
As there are multiple sources I would like to use latest(x) multiple times.

Please assist. Thanks in advance.

Tags (1)
0 Karma

Revered Legend

Try adding | dedup APPLICATION SCHEDULED_DELETIONS before the chart command.

Also, "CUSTOMER_ID", "SUBSCRIPTION_ID" etc, are they field names of some static string values?

0 Karma

SplunkTrust
SplunkTrust

What are the fields you get before the |eval APPLICATION section ? SCHEDULED_DELETIONS,source,ACTION any other fields to consider?

0 Karma

@anantdeshpande
try with |sort _time |head 1

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!