Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Display last results

jsmith39
Path Finder
‎04-07-2014 05:52 AM

I have a list of servers that do data backups to disk on a week night basis and I've built a query to display the results, and it works great, except on Mondays. Tues-Fri morning the query looks over the last 24 hours and tells me if something happened. Since the servers don't backup on Sat/Sun though, Monday morning I'm always have to tweak the time/date range to get results, and I'd like to change that.

My query is |inputlookup sosservers.csv | join type=outer ComputerName [search sourcetype="WMI:WinEventLog:Application" Database backed up BICS | stats count by ComputerName]

If I end it with .. | head 1 then I only get the last record of one of the 40+ servers it's looking at, so that won't work.

How can I change this query to simply return the latest results for each server in the WMI:WinEventLog:Application sourcetype?

Thank You

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-07-2014 06:00 AM

To only get the most recent event for each field, you can do this:

base search | streamstats count by field | where count=1

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-07-2014 06:00 AM

To only get the most recent event for each field, you can do this:

base search | streamstats count by field | where count=1
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-07-2014 06:18 AM

Sure.

base search | streamstats latest(_time) as latest_time by field | where _time=latest_time
0 Karma
Reply
Solved! Jump to solution

jsmith39
Path Finder
‎04-07-2014 06:16 AM

Thank You, that worked perfectly.
Unfortunately it raised another issue I hadn't though of.

The current query returns a field called count and places a 1 in that field. Which was good enough when I knew it had occurred in the last 24 hours. Now I don't know when it occurred unless I check it. Do you know how I could change the results in the count field to display the time/date stamp of the record it's referencing?

Thank You

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...