- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how do I extract the last value from different source in the same table
Hello!
How do I extract the last time event from two different source in the same table!
example for just one event I do the next:
my search | table _time source | head 1
_time---------------------- source
2017-05-05 12:37:00 path/log01
but if I want in the same table something like this, the are two different source with their last event.
I can do it for each but I don't want them in different panels or search I want them in the same.
_time--------------------- source
2017-05-05 12:37:00 path/log01
2017-05-03 10:37:00 path/log02
Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That depends entirely on your data, and why you are only taking the first record of your first search.
Here's one way:
my first search | table _time source | head 1
| append
[search my second search | table _time source | head 1]
Here's another:
my search for first or second source | dedup source | table _time source
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Search 2 is whats needed here.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello DalJeanis!
Thanks for your answer, the second search works fine for me, however it takes to much time to find the last two log event from the two different source, because the search look for all time.
I tried the first one, but it takes longer time than the dedup.
Thanks for your support and for your time!
Best Regards!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi danielgp89!
When we say "my search for...", that means that you get to optimize whatever search you are doing in that part and it won't affect the code sample.
In this case, use the earliest
command, so the search is not running across all time. You know your data, so if those sources are supposed to be sending every twenty minutes, use earliest=-1h
. If they are sending every second, use earliest=-3s
.
Also, just as a general tip, always specify the index
that you want splunk to look at, so the system doesn't spend any time looking for your data where it isn't.
earliest=-10m index=foo source=bar1 OR source=bar2 ...my other search terms... | dedup source | table _time source
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Possibly, or even probably, but from what little information OP posted, it's just guesswork. Of course, it opens more questions for curious minds.... or people who haven't got enough sleep between emergencies...
1) Is splunk smart enough to know that that | dedup source
, with no other qualifiers, is equivalent to "grab me just the first record from each source?"
2) In a distributed system, is splunk going to grab the first record from each source from each indexer and compare the _times? Or is it going to go to the indexers for _time for each source, and then ask for only one from the indexer with the highest one?
3) Does the ansswer change if you want the highest two, or ten (ie | dedup 10 source
)?,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Based on documentation, the dedup commands looks for the most recent, (and splunk shows events in reverse chronological order), so it's equal to grab the most recent unique records for that field. Since it looks for most recent, it streams most recent data from all indexes (can be confirmed by seeing the job inspector-dispath.stream.remote) and then dedup is done (classic non-streaming command). The behavior should be same regardless of how many unique combination we request.