Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get results only from the last source file?

bruno_eduardo
Path Finder
‎11-20-2015 07:12 AM

Hi,

I got an index which continuously receive new source file automatically, what I want is to my search to only return events from the last source file. Should be something simple but I did not figure it out, maybe with the |head command.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎11-20-2015 07:37 AM

Like this (replace ... with the exact same base search; yes, twice):

... [ ... | stats latest(source) AS source ]

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎11-20-2015 07:37 AM

Like this (replace ... with the exact same base search; yes, twice):

... [ ... | stats latest(source) AS source ]
Reply
Solved! Jump to solution

jul1an
Engager
‎11-14-2017 04:33 AM

Yes!! In my case I have solved with head comand:

index=index1 source="file.csv" Status="Active" [search index=index1 source="file.csv" | dedup _time | head 1 | return _time] |...

Reply
Solved! Jump to solution

bruno_eduardo
Path Finder
‎11-20-2015 07:44 AM

Thanks!!!!

0 Karma
Reply
Solved! Jump to solution

bruno_eduardo
Path Finder
‎11-20-2015 07:56 AM

What about the Before Last?

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎11-20-2015 08:07 AM

Like this:

... NOT [ ... | stats latest(source) AS source ]
0 Karma
Reply
Solved! Jump to solution

bruno_eduardo
Path Finder
‎11-20-2015 08:34 AM

But I mean before last source file only

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎11-20-2015 08:52 AM

Did you try it? That's what it does.

0 Karma
Reply
Solved! Jump to solution

bruno_eduardo
Path Finder
‎11-20-2015 09:30 AM

Yes I tried, I have 20 source files for this index and when I do this I got 19, every each of them except the last one. What I need is only the 19th one. I already got the 20th with your answer, just need the before last.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎11-20-2015 06:02 PM

Like this:

... [ ... | dedup source | reverse | list(source) AS source| eval source=mvindex(source,1) ]

You can then adjust the 1 to whichever one you would like.

0 Karma
Reply
Solved! Jump to solution

bruno_eduardo
Path Finder
‎11-23-2015 06:48 AM

That is really great but don't solve the problem, This search would only help if I had a fixed number of source files, the problems is: The index continuously receive new source file automatically, so I would need to change the search every time.

0 Karma
Reply
Solved! Jump to solution

bruno_eduardo
Path Finder
‎11-23-2015 06:57 AM

Sorry it worked, without the |reverse, look:

index="myindex" [search index="myindex" | dedup source |stats list(source) AS source| eval source=mvindex(source,2) ]

this bring myu before last source file events.

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...