- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Display latest data in dashboard
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello all,
I have a requirement below :
I'm pushing csv file(not pushing regularly) data to splunk index using splunk forwarder.
Using that data need to create a simple dashboard with tables and dropdowns.
So my requirement is when ever i push data, only that data should be shown in dashboard (means latest data)
Example, if i push a csv file on 19th nov that data only should be displayed in table whenever i open that dashboard . for suppose if i pushed again csv file on 23rd nov then tables should display data only for this date.
Here i don't want to change time manually in dashboard for every update.
please suggest
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you are indexing the data , you still need to select a suitable time range unless you want to slow down your environment by using "All Time"
If different dates have same number of records/fields, then you can just use
index="your index" ....
|stats latest(your field list)However , above approach will not work if you have different number of fields/records for different dates.
In that case you may try below,
index="your index" "other search terms"
|eval date=strftime(_time,"%d-%m-%Y")
|eventstats latest(date) as latest_date
|where date == latest_date
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you are indexing the data , you still need to select a suitable time range unless you want to slow down your environment by using "All Time"
If different dates have same number of records/fields, then you can just use
index="your index" ....
|stats latest(your field list)However , above approach will not work if you have different number of fields/records for different dates.
In that case you may try below,
index="your index" "other search terms"
|eval date=strftime(_time,"%d-%m-%Y")
|eventstats latest(date) as latest_date
|where date == latest_date
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@renjith_nair still not working
for example, today no data pushed to splunk but i want to display latest results with out selecting the dynamic time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Which part is not working ? As mentioned above you need to select a suitable time range to list the events regardless of how often you send the data. For e.g. If you are sending data once in a month, you need to select a time range to get data from last month from the index since the events are stored with a timestamp. Is this working ?
Alternatively you may consider a lookup file instead of indexing the data if you do not want to select a time range at all.
What goes around comes around. If it helps, hit it with Karma 🙂
Index This | Forward, I’m heavy; backward, I’m not. What am I?
A Guide To Cloud Migration Success
Join Us for Splunk University and Get Your Bootcamp Game On!
