can you help me on last event displaying

jip31 · ‎09-28-2018

hello
when I execute the request below, i want to display only the last event without playing with token time or doing a dedup time
index="windows-wmi" sourcetype="wmi:diskdrive" | table host Caption DeviceID FirmwareRevision Status
how to do please?

kmorris_splunk · ‎09-29-2018

You could use the tail command:

index="windows-wmi" sourcetype="wmi:diskdrive" | table host Caption DeviceID FirmwareRevision Status | tail 1

niketn · ‎09-29-2018

@jip31 you should define whether you are interested in last event or latest event.

For latest event you should perform <yourCurrentSearch> | head 1

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

jip31 · ‎09-29-2018

Hello niketnilay i dont know if you have seen my comment before : for one host i have To events every hour. So for every host i need the Two last Event. Head 1 works only for one host and one event

niketn · ‎09-29-2018

If that is the case then you need stats/dedup by each hour so that you can identify two events. Any reason why you dont want to use either one?

Is there a way to filter each of the two events per hour uniquely?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

harishalipaka · ‎09-28-2018

@jip31

|sort _time

Thanks
Harish

niketn · ‎09-29-2018

@harishalipaka although your answer might not be what @jip31 might be looking for, | reverse will work faster than | sort command.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

can you help me on last event displaying

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk