Splunk Enterprise

How to index only the latest event only?


Hi im indexing some SCCM user logon files but i only want to index the latest event? i.e bottom event in the list, is there an easy way to do this rather than indexing the entire contents and stripping it out at search time?

0 Karma


The latest event, or the latest event for each user? Neither one has an easy way, since the architecture philosophy of Splunk is to index everything and let the search sort them out.

If you are looking for that, you'd probably be best off writing a preprocessor for the file, either a script or a modular input.

Could you explain your use case, so we understand what you are trying to achieve?

In terms of getting the answer at search time, look at the dedup command, and remember that by default, Splunk returns events in most-recent-first order.

0 Karma


Your search | stats latest(_raw) latest(field1) latest(field2) by field3

Get latest event and add into indesing

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!