Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

can you help me on last event displaying

jip31
Motivator
‎09-28-2018 10:01 PM

hello
when I execute the request below, i want to display only the last event without playing with token time or doing a dedup time
index="windows-wmi" sourcetype="wmi:diskdrive" | table host Caption DeviceID FirmwareRevision Status
how to do please?

Tags (1)
0 Karma
Reply

kmorris_splunk
Splunk Employee
Splunk Employee
‎09-29-2018 05:53 AM

You could use the tail command:

index="windows-wmi" sourcetype="wmi:diskdrive" | table host Caption DeviceID FirmwareRevision Status | tail 1

0 Karma
Reply

niketn
Legend
‎09-29-2018 08:51 AM

@jip31 you should define whether you are interested in last event or latest event.

For latest event you should perform <yourCurrentSearch> | head 1

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

jip31
Motivator
‎09-29-2018 09:31 AM

Hello niketnilay i dont know if you have seen my comment before : for one host i have To events every hour. So for every host i need the Two last Event. Head 1 works only for one host and one event

0 Karma
Reply

niketn
Legend
‎09-29-2018 09:49 AM

If that is the case then you need stats/dedup by each hour so that you can identify two events. Any reason why you dont want to use either one?

Is there a way to filter each of the two events per hour uniquely?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

harishalipaka
Motivator
‎09-28-2018 11:41 PM

@jip31

|sort _time
Thanks
Harish
0 Karma
Reply

niketn
Legend
‎09-29-2018 08:53 AM

@harishalipaka although your answer might not be what @jip31 might be looking for, | reverse will work faster than | sort command.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...