Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get latest 50 events based on real-time in my search?

prasi_17894
New Member
‎04-22-2020 10:01 AM

I am trying to fetch the latest 50 events by _time.

This is the search I used, putting required columns in a table:

index=intlims country!=US appSection!=DSIM* AND appSection!=Features AND appSection!=Price* services{}.name!="EvaluateIMSRule" AND services{}.name!="printShelfLabel"
| rename services{}.successful as servicesSuccessful, services{}.name as servicesName
| table country, site, servicesName, servicesSuccessful, _time

There are only a few items in the search results, but there are at least a million events.

country site    servicesName      servicesSuccessful    _time
MX  02731   GetProductLocations true                   2020-04-22 16:20:53
CA  03739   GetItemInfoForBin      true               2020-04-22 16:20:53
MX  03866   GetProductLocations true                  2020-04-22 16:20:53
UK  04844   GetProductLocations true                  2020-04-22 16:20:53
NI  04396   GetProductLocations true                  2020-04-22 16:20:53

Expected results are shown below, fetching the latest 50 events by time per servicesName, site and country:

country  site   servicesName        servicesSuccessful  _time
MX      02731   GetProductLocations   true             2020-04-22 16:20:53
MX      02731   GetProductLocations   true             2020-04-22 16:18:53
MX      02731   GetProductLocations   false            2020-04-22 16:16:53
MX      02731   GetProductLocations   true             2020-04-22 16:15:53


MX      02731   GetProductLocations   true             2020-04-22 16:00:53


CA      03739   GetItemInfo           true             2020-04-22 16:20:53
CA      03739   GetItemInfo           true             2020-04-22 16:19:53
CA      03739   GetItemInfo           false            2020-04-22 16:18:53



CA      03739   GetItemInfo           true             2020-04-22 15:20:53
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎04-22-2020 11:49 AM

You can use stats command with latest function and head command:

index=intlims country!=US appSection!=DSIM* AND appSection!=Features AND appSection!=Price* services{}.name!="EvaluateIMSRule" AND services{}.name!="printShelfLabel" 
| rename services{}.successful as servicesSuccessful, services{}.name as servicesName 
| table servicesSuccessful, _time, servicesName, site, country
| stats latest(*) as *  by servicesName, site, country
| head 50

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎04-22-2020 11:49 AM

You can use stats command with latest function and head command:

index=intlims country!=US appSection!=DSIM* AND appSection!=Features AND appSection!=Price* services{}.name!="EvaluateIMSRule" AND services{}.name!="printShelfLabel" 
| rename services{}.successful as servicesSuccessful, services{}.name as servicesName 
| table servicesSuccessful, _time, servicesName, site, country
| stats latest(*) as *  by servicesName, site, country
| head 50
0 Karma
Reply
Solved! Jump to solution

prasi_17894
New Member
‎04-23-2020 05:27 AM

@manjunathmeti Thank you.
The below query worked.

index=intlims country!=US appSection!=DSIM* AND appSection!=Features AND appSection!=Price* services{}.name!="EvaluateIMSRule" AND services{}.name!="printShelfLabel"
| rename services{}.successful as servicesSuccessful, services{}.name as servicesName
| table servicesSuccessful, _time, servicesName, site, country
| top 50 showcount=false showperc=false _time, servicesSuccessful by country, site, servicesName

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...