Splunk Search
Highlighted

How do I make a search that groups output and gives the max date?

New Member

The below query works fine it. It displays all of the heartbeats generated. What I would like though is to show just the last heartbeat for each Category, Source. So I can display just the latest timestamp.

Currently, this lists all results desc. What I would like though is the results should be just the top 3 lines so grouped by host, EventCode, Category, EDSource, EDRecordID, EDTime. So it should in this instance display the top 3 lines. This will be across multiple hosts at some point and then can be displayed on a dashboard.

0 Karma
Highlighted

Re: How do I make a search that groups output and gives the max date?

SplunkTrust
SplunkTrust

The stats command should do the job. Put this in your query prior to | table:

| stats latest(_time) as _time, latest(EDTime) as EDTime, values(Server) as Server, values(EventCode) as EventCode, values(EDRecordID) as EDRecordID by Category, EDSource
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma
Highlighted

Re: How do I make a search that groups output and gives the max date?

New Member

Thank you very much

0 Karma
Highlighted

Re: How do I make a search that groups output and gives the max date?

Motivator

Hello @lloyddavage,

You can use the dedup command to remove events that contain the same field values.

This will give you the last 3 lines for each Category/EDSource combination:

yoursearch
| dedup 3 Category EDSource
0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.