How to index only the latest event only?

New Member

Hi im indexing some SCCM user logon files but i only want to index the latest event? i.e bottom event in the list, is there an easy way to do this rather than indexing the entire contents and stripping it out at search time?

0 Karma


The latest event, or the latest event for each user? Neither one has an easy way, since the architecture philosophy of Splunk is to index everything and let the search sort them out.

If you are looking for that, you'd probably be best off writing a preprocessor for the file, either a script or a modular input.

Could you explain your use case, so we understand what you are trying to achieve?

In terms of getting the answer at search time, look at the dedup command, and remember that by default, Splunk returns events in most-recent-first order.

0 Karma


Your search | stats latest(_raw) latest(field1) latest(field2) by field3

Get latest event and add into indesing

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!