Splunk Search
Highlighted

Find latest data for each grouped item

New Member
    Oct 26 10:40:50 m eg[0]: group:group1 name:name1 size:10 speed:20
    Oct 26 10:40:50 m eg[0]: group:group2 name:name5 size:10 speed:20
    Oct 26 10:45:50 m eg[0]: group:group1 name:name1 size:20 speed:50
    Oct 26 10:45:50 m eg[0]: group:group2 name:name5 size:10 speed:20
    Oct 26 10:45:50 m eg[0]: group:group1 name:name1 size:1 speed:5
    Oct 26 10:50:50 m eg[0]: group:group1 name:name2 size:10 speed:20
    Oct 26 10:50:50 m eg[0]: group:group3 name:name3 size:10 speed:20
    Oct 26 10:50:50 m eg[0]: group:group3 name:name4 size:10 speed:20
    Oct 26 10:50:50 m eg[0]: group:group4 name:name5 size:10 speed:20
    Oct 26 10:50:50 m eg[0]: group:group5 name:name6 size:10 speed:20

I have the above data. I'd like to find a way to only look at the latest entry for a certain name. So for example, 'name:name1' exists 3 times in the above results. The following line is the latest result for 'name:name1':

Oct 26 10:45:50 m eg[0]: group:group1 name:name1 size:1 speed:5

It should therefore only include that item in the results. It should then do the same for all the others so that I only have one of each 'name:name?' and each one should be the latest found in the results.

How would I do this?

Tags (3)
0 Karma
Highlighted

Re: Find latest data for each grouped item

Splunk Employee
Splunk Employee

Ok try this and let me know what you get. I'm assuming you have a field extracted for the nameX value called name.

<your search>| eventstats latest(name) by _time, name | dedup name | table name, _raw, _time

This will show the latest individual values for each 'name' field value you have. You can do whatever you want with the table to show whatever fields you want later. Take out the dedup and you'll be able to see all records and make sure that you are in fact getting the latest one. Pick a set period of time by using earliest=-10m latest=-5min before the first pipe in your search. I'm still trying to play with it still to see how to do this in a cleaner way without dedup.

View solution in original post

Highlighted

Re: Find latest data for each grouped item

New Member

Worked exactly in the way I needed it to. Thanks

0 Karma
Highlighted

Re: Find latest data for each grouped item

Engager

This worked for me. Thanks a lot

0 Karma