Deployment Architecture

how do I extract the last value from different source in the same table

danielgp89
Path Finder

Hello!

How do I extract the last time event from two different source in the same table!

example for just one event I do the next:

my search | table _time source | head 1

_time---------------------- source
2017-05-05 12:37:00 path/log01

but if I want in the same table something like this, the are two different source with their last event.

I can do it for each but I don't want them in different panels or search I want them in the same.

_time--------------------- source
2017-05-05 12:37:00 path/log01
2017-05-03 10:37:00 path/log02

Regards

Tags (1)
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

That depends entirely on your data, and why you are only taking the first record of your first search.

Here's one way:

my first search | table _time source | head 1
| append 
    [search my second search | table _time source | head 1]

Here's another:

my search for first or second source  | dedup source | table _time source

somesoni2
SplunkTrust
SplunkTrust

Search 2 is whats needed here.

0 Karma

danielgp89
Path Finder

Hello DalJeanis!

Thanks for your answer, the second search works fine for me, however it takes to much time to find the last two log event from the two different source, because the search look for all time.

I tried the first one, but it takes longer time than the dedup.

Thanks for your support and for your time!

Best Regards!

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Hi danielgp89!

When we say "my search for...", that means that you get to optimize whatever search you are doing in that part and it won't affect the code sample.

In this case, use the earliest command, so the search is not running across all time. You know your data, so if those sources are supposed to be sending every twenty minutes, use earliest=-1h. If they are sending every second, use earliest=-3s.

Also, just as a general tip, always specify the index that you want splunk to look at, so the system doesn't spend any time looking for your data where it isn't.

earliest=-10m index=foo source=bar1 OR source=bar2 ...my other search terms...  | dedup source | table _time source
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Possibly, or even probably, but from what little information OP posted, it's just guesswork. Of course, it opens more questions for curious minds.... or people who haven't got enough sleep between emergencies...

1) Is splunk smart enough to know that that | dedup source, with no other qualifiers, is equivalent to "grab me just the first record from each source?"

2) In a distributed system, is splunk going to grab the first record from each source from each indexer and compare the _times? Or is it going to go to the indexers for _time for each source, and then ask for only one from the indexer with the highest one?

3) Does the ansswer change if you want the highest two, or ten (ie | dedup 10 source)?,

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Based on documentation, the dedup commands looks for the most recent, (and splunk shows events in reverse chronological order), so it's equal to grab the most recent unique records for that field. Since it looks for most recent, it streams most recent data from all indexes (can be confirmed by seeing the job inspector-dispath.stream.remote) and then dedup is done (classic non-streaming command). The behavior should be same regardless of how many unique combination we request.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...