Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you pull out the latest entry "only" for the last numbers entered?

bzsplunk54
New Member
‎02-13-2019 02:31 PM

I have one file that is pulled in by a universal forwarder setup.

This file is constantly changing on the system for which the file resides on, and the old data is never removed. I don't want the search to display historical data for each item as I only want Splunk to poll this data for the current date and have this data displayed. The file is a _json file with epoch time. Currently I have my SPL search and the following: 

earliest =-0d@d latest=now
|dedup customer
|eval trigger=strftime(last_number, "%T %F %Z")
|table customer number trigger
|rename trigger as Date_Time

Would the above be accurate for me to attain only the results that I need? I only want to display the latest from this imported _json file for each customer based off the last_number field.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎02-13-2019 04:46 PM

That should be fine if last_number was used for _time. If not, you need this (and probably a wider/longer time span for earliest😞

earliest =-0d@d latest=now
| sort 0 - last_number
| dedup customer
| eval Date_Time=strftime(last_number, "%T %F %Z")
| table customer number Date_Time

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎02-13-2019 04:46 PM

That should be fine if last_number was used for _time. If not, you need this (and probably a wider/longer time span for earliest😞

earliest =-0d@d latest=now
| sort 0 - last_number
| dedup customer
| eval Date_Time=strftime(last_number, "%T %F %Z")
| table customer number Date_Time
0 Karma
Reply
Solved! Jump to solution

chrisyounger
SplunkTrust
SplunkTrust
‎02-13-2019 03:29 PM

The stats latest(FIELD) as FIELD command is going to be the best way to do this.

Your current query may fail if you run it very early in the morning at as 12:05 am.

Better to do something like SEARCH | stats latest(last_numer) as last_number or even SEARCH | stats latest(*) as *` This will return the most recent of all fields.

Note that if you fields in the event change you might need some extra tricks that I can help you with.

All the best

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...