Getting Data In

How to get results only from the last source file?

bruno_eduardo
Path Finder

Hi,

I got an index which continuously receive new source file automatically, what I want is to my search to only return events from the last source file. Should be something simple but I did not figure it out, maybe with the |head command.

0 Karma
1 Solution

woodcock
Esteemed Legend

Like this (replace ... with the exact same base search; yes, twice):

... [ ... | stats latest(source) AS source ]

View solution in original post

woodcock
Esteemed Legend

Like this (replace ... with the exact same base search; yes, twice):

... [ ... | stats latest(source) AS source ]

jul1an
Engager

Yes!! In my case I have solved with head comand:

index=index1 source="file.csv" Status="Active" [search index=index1 source="file.csv" | dedup _time | head 1 | return _time] |...

bruno_eduardo
Path Finder

Thanks!!!!

0 Karma

bruno_eduardo
Path Finder

What about the Before Last?

0 Karma

woodcock
Esteemed Legend

Like this:

... NOT [ ... | stats latest(source) AS source ]
0 Karma

bruno_eduardo
Path Finder

But I mean before last source file only

0 Karma

woodcock
Esteemed Legend

Did you try it? That's what it does.

0 Karma

bruno_eduardo
Path Finder

Yes I tried, I have 20 source files for this index and when I do this I got 19, every each of them except the last one. What I need is only the 19th one. I already got the 20th with your answer, just need the before last.

0 Karma

woodcock
Esteemed Legend

Like this:

... [ ... | dedup source | reverse | list(source) AS source| eval source=mvindex(source,1) ]

You can then adjust the 1 to whichever one you would like.

0 Karma

bruno_eduardo
Path Finder

That is really great but don't solve the problem, This search would only help if I had a fixed number of source files, the problems is: The index continuously receive new source file automatically, so I would need to change the search every time.

0 Karma

bruno_eduardo
Path Finder

Sorry it worked, without the |reverse, look:

index="myindex" [search index="myindex" | dedup source |stats list(source) AS source| eval source=mvindex(source,2) ]

this bring myu before last source file events.

Thanks

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...