Splunk Enterprise

How to index only the latest event only?


Hi im indexing some SCCM user logon files but i only want to index the latest event? i.e bottom event in the list, is there an easy way to do this rather than indexing the entire contents and stripping it out at search time?

0 Karma


The latest event, or the latest event for each user? Neither one has an easy way, since the architecture philosophy of Splunk is to index everything and let the search sort them out.

If you are looking for that, you'd probably be best off writing a preprocessor for the file, either a script or a modular input.

Could you explain your use case, so we understand what you are trying to achieve?

In terms of getting the answer at search time, look at the dedup command, and remember that by default, Splunk returns events in most-recent-first order.

0 Karma


Your search | stats latest(_raw) latest(field1) latest(field2) by field3

Get latest event and add into indesing

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.