Getting Data In

How do you pull out the latest entry "only" for the last numbers entered?

New Member

I have one file that is pulled in by a universal forwarder setup.

This file is constantly changing on the system for which the file resides on, and the old data is never removed. I don't want the search to display historical data for each item as I only want Splunk to poll this data for the current date and have this data displayed. The file is a _json file with epoch time. Currently I have my SPL search and the following:

earliest =-0d@d latest=now
|dedup customer
|eval trigger=strftime(last_number, "%T %F %Z")
|table customer number trigger
|rename trigger as Date_Time

Would the above be accurate for me to attain only the results that I need? I only want to display the latest from this imported json file for each customer based off the lastnumber field.

0 Karma
1 Solution

Esteemed Legend

That should be fine if last_number was used for _time. If not, you need this (and probably a wider/longer time span for earliest😞

earliest =-0d@d latest=now
| sort 0 - last_number
| dedup customer
| eval Date_Time=strftime(last_number, "%T %F %Z")
| table customer number Date_Time

View solution in original post

0 Karma

Esteemed Legend

That should be fine if last_number was used for _time. If not, you need this (and probably a wider/longer time span for earliest😞

earliest =-0d@d latest=now
| sort 0 - last_number
| dedup customer
| eval Date_Time=strftime(last_number, "%T %F %Z")
| table customer number Date_Time

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

The stats latest(FIELD) as FIELD command is going to be the best way to do this.

Your current query may fail if you run it very early in the morning at as 12:05 am.

Better to do something like SEARCH | stats latest(last_numer) as last_number or even SEARCH | stats latest(*) as *` This will return the most recent of all fields.

Note that if you fields in the event change you might need some extra tricks that I can help you with.

All the best

0 Karma