How would I display the most recent indexed set of...

mcrawford44 · ‎06-12-2014

We have an index that uses imported data from a CSV. The data is imported daily. The '_time' field is populated by the system time of the import. This gives you the following;

_time1, name1, data1
_time2, name1, data2
_time3, name1, data3

_time1, name2, data1
_time2, name2, data2
_time3, name2, data3

Here we have two records with unique names that were indexed three times. If the record for name2 is deleted from a 4th import.. 1,2, and 3 will still show as they are in the index as historical data. How would I display only the latest 'snapshot or import' for this index?

In other words. Say I add more data on 6/12/2014. I want to dynamically display that latest set, while ignoring the past imports, so that deleted records do not show.

Example query being used. Simple I know.;

index=mdm_activesync | table _time, ID, Company, LinkedMasterAccount, DisplayName, Alias, ActiveSyncEnabled, LastSuccessSync, EmailAddress | sort 0 - LastSuccessSync

somesoni2 · ‎06-12-2014

Try this

index=mdm_activesync | eventstats max(_time) as lastImport | where _time=lastImport| table _time, ID, Company, LinkedMasterAccount, DisplayName, Alias, ActiveSyncEnabled, LastSuccessSync, EmailAddress | sort 0 - LastSuccessSync

OR

index=mdm_activesync [index=mdm_activesync | stats max(_time) as _time | table _time ]| table _time, ID, Company, LinkedMasterAccount, DisplayName, Alias, ActiveSyncEnabled, LastSuccessSync, EmailAddress | sort 0 - LastSuccessSync

How would I display the most recent indexed set of data via _time?

There's No Place Like Chrome and the Splunk Platform

The Great Resilience Quest: 5th Leaderboard Update

Devesh Logendran, Splunk, and the Singapore Cyber Conquest