Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Display latest data in dashboard

kirrusk
Communicator
‎11-19-2020 12:59 AM

Hello all,

I have a requirement below :

I'm pushing csv file(not pushing regularly) data to splunk index using splunk forwarder.

Using that data need to create a simple dashboard with tables and dropdowns.

So my requirement is when ever i push data, only that data should be shown in dashboard (means latest data)

Example,  if i push a csv file on 19th nov that data only should be displayed in table whenever i open that dashboard .  for suppose if i pushed again csv file on 23rd nov then tables should display data only for this date.

Here i don't want to change time manually in dashboard for every update.

please suggest

 

  

 

 

 

 

 

 

 

 

Labels (5)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎11-19-2020 01:39 AM

If you are indexing the data , you still need to select a suitable time range unless you want to slow down your environment by using "All Time"

If different dates have same number of records/fields, then you can just use

index="your index" .... 
|stats latest(your field list)

However , above approach will not work if you have different number of fields/records for different dates.

In that case you may try below,

index="your index" "other search terms"
|eval date=strftime(_time,"%d-%m-%Y")
|eventstats latest(date) as latest_date
|where date == latest_date

 

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎11-19-2020 01:39 AM

If you are indexing the data , you still need to select a suitable time range unless you want to slow down your environment by using "All Time"

If different dates have same number of records/fields, then you can just use

index="your index" .... 
|stats latest(your field list)

However , above approach will not work if you have different number of fields/records for different dates.

In that case you may try below,

index="your index" "other search terms"
|eval date=strftime(_time,"%d-%m-%Y")
|eventstats latest(date) as latest_date
|where date == latest_date

 

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

kirrusk
Communicator
‎11-19-2020 03:41 AM

@renjith_nair  still not working 

for example, today no data pushed to splunk but i want to display latest results with out selecting the dynamic time.

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎11-19-2020 05:07 PM

Which part is not working ? As mentioned above you need to select a suitable time range to list the events regardless of how often you send  the data. For e.g. If you are sending data once in a month, you need to select a time range to get data from last month from the index since the events are stored with a  timestamp. Is this working ?

Alternatively you may consider a lookup file instead of indexing the data if you do not want to select a time range at all.

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...