Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Display last results

jsmith39
Path Finder
‎04-07-2014 05:52 AM

I have a list of servers that do data backups to disk on a week night basis and I've built a query to display the results, and it works great, except on Mondays. Tues-Fri morning the query looks over the last 24 hours and tells me if something happened. Since the servers don't backup on Sat/Sun though, Monday morning I'm always have to tweak the time/date range to get results, and I'd like to change that.

My query is |inputlookup sosservers.csv | join type=outer ComputerName [search sourcetype="WMI:WinEventLog:Application" Database backed up BICS | stats count by ComputerName]

If I end it with .. | head 1 then I only get the last record of one of the 40+ servers it's looking at, so that won't work.

How can I change this query to simply return the latest results for each server in the WMI:WinEventLog:Application sourcetype?

Thank You

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-07-2014 06:00 AM

To only get the most recent event for each field, you can do this:

base search | streamstats count by field | where count=1

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-07-2014 06:00 AM

To only get the most recent event for each field, you can do this:

base search | streamstats count by field | where count=1
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-07-2014 06:18 AM

Sure.

base search | streamstats latest(_time) as latest_time by field | where _time=latest_time
0 Karma
Reply
Solved! Jump to solution

jsmith39
Path Finder
‎04-07-2014 06:16 AM

Thank You, that worked perfectly.
Unfortunately it raised another issue I hadn't though of.

The current query returns a field called count and places a 1 in that field. Which was good enough when I knew it had occurred in the last 24 hours. Now I don't know when it occurred unless I check it. Do you know how I could change the results in the count field to display the time/date stamp of the record it's referencing?

Thank You

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...