if multiple events at different time, only return ...

salt87 · ‎11-09-2019

Hi,

I've got a search that returns me the following results:

Basically, I would like to only keep the most recent events for an IPAddress IF the field IPAddress has multiple events at 2 different time and discard the oldest event. In the case of the screenshot above, I would like to remove the highlighted line.

Would that be possible? Let me know if you need more information.

Thanks

woodcock · ‎11-10-2019

Add this to the bottom of your existing search:

... | streamstats count BY _time IPAddress
| where count == 1

woodcock · ‎11-09-2019

Just add this to the bottom:

... | dedup IPAddress

salt87 · ‎11-10-2019

Hi,

This won't work because I still need to see all events for an IPAddress. This will only show me one event per IP.

woodcock · ‎11-10-2019

See my new answer.

arjunpkishore5 · ‎11-09-2019

Base on the example you provided

| stats values(pluginID) as pluginID by _time, IPAddress delim=","
| slats latest(pluginID) as pluginID, max(_time) as _time by IPAddress
| eval pluginID=split(pluginID,",")
| mvexpand pluginID

salt87 · ‎11-10-2019

Hi,

Unfortunately this is not working as it only shows one event for IP3 and not 2 events as shown in the OP screenshot.

This is the output:
IPAddress pluginID _time
IP1 94932 2019-11-01 04:19:23
IP2 46172 2019-11-08 20:32:25
IP3 108797 2019-10-31 02:00:21

What I would like is still keep both events for IP3 as per below:

IPAddress pluginID _time
IP1 94932 2019-11-01 04:19:23
IP2 46172 2019-11-08 20:32:25
IP3 108797 2019-10-31 02:00:21
IP3 84729 2019-10-31 02:00:21

Thanks

arjunpkishore5 · ‎11-10-2019

looks like latest is converting the mv field to a single value. Edited my answer. Please give it a try.

if multiple events at different time, only return most recent events based on a field

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability