Knowledge Management

How to retrieve data from the latest file that splunk indexes?

smruti13
Observer

I have 2 indexes( a summary index and a normal index).
I want to search the summary index for all time but want to get only the latest file from the other index i.e time range should be last 30 days, in the same query.
something like this -
(index=dummy_index_summary report_name=dummy_report) OR (index="dummy_index" (sourcetype="abc" host="auirvcbpw001" source="abc" ))

first query should execute for all time whereas second one should excecute for the last 30 days(somehow should return only the latest file) , in the same query.

Can someone please help me ? Thanks in advance!

0 Karma
1 Solution

Sukisen1981
Champion

try this

(index=dummy_index_summary report_name=dummy_report) OR (index="dummy_index" earliest=-30d (sourcetype="abc" host="auirvcbpw001" source="abc" ))

View solution in original post

0 Karma

Sukisen1981
Champion

try this

(index=dummy_index_summary report_name=dummy_report) OR (index="dummy_index" earliest=-30d (sourcetype="abc" host="auirvcbpw001" source="abc" ))

0 Karma

smruti13
Observer

Thanks @Sukisen1981 works like a charm 🙂

0 Karma

vikash_periwal
New Member

HI to this i have one query, for 2nd index i want to select the latest source file , how can we achieve that..
i used |stats latest(source) as source but getting error while running the script

0 Karma

KARANMALHOTRA
Path Finder

Have you tried creating two separate searches and appending their results together. It may be able to do the job you want.

0 Karma

smruti13
Observer

cant use join or append as it makes the query heavy which in turn affects performance. So have to look for a way other than append or join.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...