Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Display latest data in dashboard
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello all,
I have a requirement below :
I'm pushing csv file(not pushing regularly) data to splunk index using splunk forwarder.
Using that data need to create a simple dashboard with tables and dropdowns.
So my requirement is when ever i push data, only that data should be shown in dashboard (means latest data)
Example, if i push a csv file on 19th nov that data only should be displayed in table whenever i open that dashboard . for suppose if i pushed again csv file on 23rd nov then tables should display data only for this date.
Here i don't want to change time manually in dashboard for every update.
please suggest
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you are indexing the data , you still need to select a suitable time range unless you want to slow down your environment by using "All Time"
If different dates have same number of records/fields, then you can just use
index="your index" ....
|stats latest(your field list)However , above approach will not work if you have different number of fields/records for different dates.
In that case you may try below,
index="your index" "other search terms"
|eval date=strftime(_time,"%d-%m-%Y")
|eventstats latest(date) as latest_date
|where date == latest_date
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you are indexing the data , you still need to select a suitable time range unless you want to slow down your environment by using "All Time"
If different dates have same number of records/fields, then you can just use
index="your index" ....
|stats latest(your field list)However , above approach will not work if you have different number of fields/records for different dates.
In that case you may try below,
index="your index" "other search terms"
|eval date=strftime(_time,"%d-%m-%Y")
|eventstats latest(date) as latest_date
|where date == latest_date
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@renjith_nair still not working
for example, today no data pushed to splunk but i want to display latest results with out selecting the dynamic time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Which part is not working ? As mentioned above you need to select a suitable time range to list the events regardless of how often you send the data. For e.g. If you are sending data once in a month, you need to select a time range to get data from last month from the index since the events are stored with a timestamp. Is this working ?
Alternatively you may consider a lookup file instead of indexing the data if you do not want to select a time range at all.
What goes around comes around. If it helps, hit it with Karma 🙂
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
