Getting Data In

How would I display the most recent indexed set of data via _time?

mcrawford44
Communicator

We have an index that uses imported data from a CSV. The data is imported daily. The '_time' field is populated by the system time of the import. This gives you the following;

_time1, name1, data1
_time2, name1, data2
_time3, name1, data3

_time1, name2, data1
_time2, name2, data2
_time3, name2, data3

Here we have two records with unique names that were indexed three times. If the record for name2 is deleted from a 4th import.. 1,2, and 3 will still show as they are in the index as historical data. How would I display only the latest 'snapshot or import' for this index?

In other words. Say I add more data on 6/12/2014. I want to dynamically display that latest set, while ignoring the past imports, so that deleted records do not show.

Example query being used. Simple I know.;

index=mdm_activesync | table _time, ID, Company, LinkedMasterAccount, DisplayName, Alias, ActiveSyncEnabled, LastSuccessSync, EmailAddress | sort 0 - LastSuccessSync
Tags (3)
0 Karma

somesoni2
Revered Legend

Try this

index=mdm_activesync | eventstats max(_time) as lastImport | where _time=lastImport| table _time, ID, Company, LinkedMasterAccount, DisplayName, Alias, ActiveSyncEnabled, LastSuccessSync, EmailAddress | sort 0 - LastSuccessSync

OR

index=mdm_activesync [index=mdm_activesync | stats max(_time) as _time | table _time ]| table _time, ID, Company, LinkedMasterAccount, DisplayName, Alias, ActiveSyncEnabled, LastSuccessSync, EmailAddress | sort 0 - LastSuccessSync
Get Updates on the Splunk Community!

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...