Solved: Can we fetch the last available data in an index ,...

shahid285 · ‎05-29-2019

I have an requirement to show the data for last 24hrs. If the data is not available for the last 24hrs, i need to show the 24hrs data which was ingested very lastly.
Example :
If i had ingested data on 28-May-2019:00:00:00
and querying that data on 29-May-2019:03:34:00(consider it to be latest=now), i would be seeing the data.

if now is 30-May-2019:02:34:59. And if i run the query with earliest=-24hrs , i would not get any data.

But i need the 24hrs data here, which was lastly ingested. That would on 28-May-2019:00:00:00.

A sample query would be helpful here.

Thanks
Shahid

kmorris_splunk · ‎05-29-2019

Would something like the following work for you?

[YOUR BASE SEARCH] 
| eventstats max(_time) as mylatest 
| where _time > mylatest-86400

The eventstats is calculating the latest time for the base search, which would be available in each event. You then filter where the _time of each event is within 24 hours of the last event you received.

View solution in original post

kmorris_splunk · ‎05-29-2019

Would something like the following work for you?

[YOUR BASE SEARCH] 
| eventstats max(_time) as mylatest 
| where _time > mylatest-86400

The eventstats is calculating the latest time for the base search, which would be available in each event. You then filter where the _time of each event is within 24 hours of the last event you received.

shahid285 · ‎05-29-2019

@kmorris_splunk : Thanks a lot, your solution worked as expected

Thanks again!

Shahid

Can we fetch the last available data in an index , which is not ingested in the last 24hrs?

Announcing the Expansion of the Splunk Academic Alliance Program

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Buttercup Games: Further Dashboarding Techniques (Part 7)