Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Search latest indexed file for different sourcetype

meenal901
Communicator
‎10-07-2013 02:26 AM

Hi,

I have 3 sources from which the files are loaded into Splunk, the time of arrival of files and frequency is different for all three.
source-1 -> every 5 minutes
source-2 -> every 1 hour
source-3 -> every 4 hours

Now, these files go into same folder based on version, which is a common field for all three, not the version. I want to search in the latest files (time based in their own family) of source-1, source-2 and source-3 irrespective of their comparative index time. I don't want to use transaction command.

Is it possible? If so, how?

Thanks,
Meenal

Tags (1)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎10-07-2013 03:46 AM

If all your sources are on NTP or similar, so that you can trust the event timestamps, something like this perhaps?

(source=source_1 AND earliest=-5m) OR (source=source_2 AND earliest=-1h) OR (source=source_3 AND earliest=-4h) | the rest of your search

/Kristian

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...