Re: how do I extract the last value from different...

danielgp89 · ‎05-08-2017

Hello!

How do I extract the last time event from two different source in the same table!

example for just one event I do the next:

my search | table _time source | head 1

_time---------------------- source
2017-05-05 12:37:00 path/log01

but if I want in the same table something like this, the are two different source with their last event.

I can do it for each but I don't want them in different panels or search I want them in the same.

_time--------------------- source
2017-05-05 12:37:00 path/log01
2017-05-03 10:37:00 path/log02

Regards

DalJeanis · ‎05-08-2017

That depends entirely on your data, and why you are only taking the first record of your first search.

Here's one way:

my first search | table _time source | head 1
| append 
    [search my second search | table _time source | head 1]

Here's another:

my search for first or second source  | dedup source | table _time source

somesoni2 · ‎05-08-2017

Search 2 is whats needed here.

danielgp89 · ‎05-09-2017

Hello DalJeanis!

Thanks for your answer, the second search works fine for me, however it takes to much time to find the last two log event from the two different source, because the search look for all time.

I tried the first one, but it takes longer time than the dedup.

Thanks for your support and for your time!

Best Regards!

DalJeanis · ‎05-09-2017

Hi danielgp89!

When we say "my search for...", that means that you get to optimize whatever search you are doing in that part and it won't affect the code sample.

In this case, use the earliest command, so the search is not running across all time. You know your data, so if those sources are supposed to be sending every twenty minutes, use earliest=-1h. If they are sending every second, use earliest=-3s.

Also, just as a general tip, always specify the index that you want splunk to look at, so the system doesn't spend any time looking for your data where it isn't.

earliest=-10m index=foo source=bar1 OR source=bar2 ...my other search terms...  | dedup source | table _time source

DalJeanis · ‎05-09-2017

Possibly, or even probably, but from what little information OP posted, it's just guesswork. Of course, it opens more questions for curious minds.... or people who haven't got enough sleep between emergencies...

1) Is splunk smart enough to know that that | dedup source, with no other qualifiers, is equivalent to "grab me just the first record from each source?"

2) In a distributed system, is splunk going to grab the first record from each source from each indexer and compare the _times? Or is it going to go to the indexers for _time for each source, and then ask for only one from the indexer with the highest one?

3) Does the ansswer change if you want the highest two, or ten (ie | dedup 10 source)?,

somesoni2 · ‎05-09-2017

Based on documentation, the dedup commands looks for the most recent, (and splunk shows events in reverse chronological order), so it's equal to grab the most recent unique records for that field. Since it looks for most recent, it streams most recent data from all indexes (can be confirmed by seeing the job inspector-dispath.stream.remote) and then dedup is done (classic non-streaming command). The behavior should be same regardless of how many unique combination we request.

how do I extract the last value from different source in the same table

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk