Re: Updating based on column

jimjohn · ‎03-05-2014

Hi All,

I have a configured a folder to read csv files.
My csv files column will be in same format.
Consider I have 2 csv say 1 and 2.These excels are loaded into folder at different dates.
Example.
1.csv (loading date yesterday)
Id Status
1 DEV
2 QA
2.csv (loading date today)
Id Status
1 PROD
2 PROD

Instead of splunk showing all the data I want to show the last status of an Id.
Ie since the status of id's 1 and 2 are changed to PROD i want to show that status only.
Is it possible.
One option i can see is search the column with latest time.
Did we have any configuration we can set at data loading time itself to achieve this.

HiroshiSatoh · ‎03-06-2014

How is STATS?

････|stats last(Status) as Status by Id

HiroshiSatoh · ‎03-06-2014

I'm sorry. It was FIRST.

････|stats first(Status) as Status by Id

jimjohn · ‎03-06-2014

Yes it worked.Instead of last I give first.

Updating based on column

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation