Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Find time of latest event type without streaming all data from indexer

plaxos
Explorer
‎09-11-2015 05:54 AM

The time of the latest log record for a specific customer can be retrieved and used as the output from a subsearch with ...

..... [ search index=tlog | custid=1234 | head 1 | eval latest=_time | fields latest | format ] | ....

But depending on the volume of customer activity, this could result in up to xxx thousand records being streamed and then immediately dropped (by the head 1). Limiting the subsearch to a relative time period , e.g. earliest=-1d, is not possible.

Is there any way to have the indexer stream only one or a fixed number of records? i.e. the equivalent of doing head 1 on the indexer.

Using | metadata, it is easy to get the latest time for specific sourcetypes etc, but this does not help in this case.

0 Karma
Reply

plaxos
Explorer
‎09-13-2015 10:18 AM

To elaborate ... I need to get the last 30 minutes of activity for a custid where the custid comes from an ad-hoc query through a dashboard. The activity for that custid may have been in the last few minutes or a few weeks ago. The total number of records for the customer could be in the hundreds or the tens of thousands. I am using this search with a subsearch to find the time of the last activity and put it in an "earliest" clause:

search index=tlog sourcetype=csrv custid=$custid$
   [ search index=tlog | custid=$custid$ | head 1 | eval earliest=relative_time(_time,"-30m") | fields earliest | format ]
| stats count by Env, Region

Perhaps there is a way to avoid doing two searches for this, I just can't think of it.

The reason that metadata doesn't help is that the "lastTime" field is for the index as a whole, and not by custid.

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎09-11-2015 01:24 PM

Two options I can think off of the top of my head:

Perhaps you could build a simply summary index that would contain this (and possibly other) information? You can read up on this here, and/or watch a .conf 2013 session by Jesse Trucks on this sort of technique called "Automating Operational Intelligence: Stats and Summary Indexes". You'll have to search for his presentation in that page, I don't know how to link directly to it.

Another thought was to keep a lookup for this information, then just update it every few minutes. The docs for outputlookup will be a good starting place for this. This is probably slightly less work than the summary index, but less useful as well.

In both cases, you can find specific examples and help in Answers and Splunk blogs.

0 Karma
Reply

dturnbull_splun
Splunk Employee
Splunk Employee
‎09-11-2015 06:55 AM

Could you elaborate on your whole use case as it might help with suggesting approaches?

0 Karma
Reply

MuS
Legend
‎09-11-2015 01:45 PM

And tell us more why you cannot use metadata?

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...