Splunk Search

How do I make a search that groups output and gives the max date?

lloyddavage
Explorer

The below query works fine it. It displays all of the heartbeats generated. What I would like though is to show just the last heartbeat for each Category, Source. So I can display just the latest timestamp.

Currently, this lists all results desc. What I would like though is the results should be just the top 3 lines so grouped by host, EventCode, Category, EDSource, EDRecordID, EDTime. So it should in this instance display the top 3 lines. This will be across multiple hosts at some point and then can be displayed on a dashboard.

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The stats command should do the job. Put this in your query prior to | table:

| stats latest(_time) as _time, latest(EDTime) as EDTime, values(Server) as Server, values(EventCode) as EventCode, values(EDRecordID) as EDRecordID by Category, EDSource
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

whrg
Motivator

Hello @lloyddavage,

You can use the dedup command to remove events that contain the same field values.

This will give you the last 3 lines for each Category/EDSource combination:

yoursearch
| dedup 3 Category EDSource
0 Karma

richgalloway
SplunkTrust
SplunkTrust

The stats command should do the job. Put this in your query prior to | table:

| stats latest(_time) as _time, latest(EDTime) as EDTime, values(Server) as Server, values(EventCode) as EventCode, values(EDRecordID) as EDRecordID by Category, EDSource
---
If this reply helps you, Karma would be appreciated.
0 Karma

lloyddavage
Explorer

Thank you very much

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...