Splunk Search

Find latest data for each grouped item

surfi2000
New Member
    Oct 26 10:40:50 m eg[0]: group:group1 name:name1 size:10 speed:20
    Oct 26 10:40:50 m eg[0]: group:group2 name:name5 size:10 speed:20
    Oct 26 10:45:50 m eg[0]: group:group1 name:name1 size:20 speed:50
    Oct 26 10:45:50 m eg[0]: group:group2 name:name5 size:10 speed:20
    Oct 26 10:45:50 m eg[0]: group:group1 name:name1 size:1 speed:5
    Oct 26 10:50:50 m eg[0]: group:group1 name:name2 size:10 speed:20
    Oct 26 10:50:50 m eg[0]: group:group3 name:name3 size:10 speed:20
    Oct 26 10:50:50 m eg[0]: group:group3 name:name4 size:10 speed:20
    Oct 26 10:50:50 m eg[0]: group:group4 name:name5 size:10 speed:20
    Oct 26 10:50:50 m eg[0]: group:group5 name:name6 size:10 speed:20

I have the above data. I'd like to find a way to only look at the latest entry for a certain name. So for example, 'name:name1' exists 3 times in the above results. The following line is the latest result for 'name:name1':

Oct 26 10:45:50 m eg[0]: group:group1 name:name1 size:1 speed:5

It should therefore only include that item in the results. It should then do the same for all the others so that I only have one of each 'name:name?' and each one should be the latest found in the results.

How would I do this?

Tags (3)
0 Karma
1 Solution

sdaniels
Splunk Employee
Splunk Employee

Ok try this and let me know what you get. I'm assuming you have a field extracted for the nameX value called name.

<your search>| eventstats latest(name) by _time, name | dedup name | table name, _raw, _time

This will show the latest individual values for each 'name' field value you have. You can do whatever you want with the table to show whatever fields you want later. Take out the dedup and you'll be able to see all records and make sure that you are in fact getting the latest one. Pick a set period of time by using earliest=-10m latest=-5min before the first pipe in your search. I'm still trying to play with it still to see how to do this in a cleaner way without dedup.

View solution in original post

sdaniels
Splunk Employee
Splunk Employee

Ok try this and let me know what you get. I'm assuming you have a field extracted for the nameX value called name.

<your search>| eventstats latest(name) by _time, name | dedup name | table name, _raw, _time

This will show the latest individual values for each 'name' field value you have. You can do whatever you want with the table to show whatever fields you want later. Take out the dedup and you'll be able to see all records and make sure that you are in fact getting the latest one. Pick a set period of time by using earliest=-10m latest=-5min before the first pipe in your search. I'm still trying to play with it still to see how to do this in a cleaner way without dedup.

surfi2000
New Member

Worked exactly in the way I needed it to. Thanks

0 Karma

sajithdilhan
Engager

This worked for me. Thanks a lot

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...