Archive

how to only check events from the latest source file

New Member

I have a boat load of log files, whose name contains the timestamp, like this :
/DATA/show_cpu.2016101908.gz
/DATA/show_cpu.2016102108.gz

I only want to check the event in the latest file, so I tried following command:
index="-cli" source="show_cpu" | stats latest(source) by deviceId,fiveMinutes,timeStamp*

Unfortunately, the search results contains the events from other source file.

Please help out.

Tags (1)
0 Karma

Legend

Try this, assuming the all events from the source have the same

base search | eventstats max(_indextime) as it | where it=_time
0 Karma

Path Finder

Hi...I tried the answer which you provided...It didn't work..is there any other way...

0 Karma

Super Champion

check this one -

index="-cli" | stats latest(source) by host,deviceId,fiveMinutes,timeStamp*

if above wont work, then check these two-

    <pre>index="-cli" | stats latest(source) by host</pre>

and

index="-cli" [search index="-cli" | stats latest(source) by host| table source] | table deviceId,fiveMinutes,timeStamp*

0 Karma

Path Finder

Hi @inventsekar ..I tried the solution which u provided...It didnot work is there any other solution

0 Karma