Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I show only the two most recent events in a table?

jambajuice
Communicator
‎01-20-2011 04:59 AM

Let's say I have a table that looks like the following:

Date        Host       Port
1/1/2011    HostA      80
1/2/2011    HostA      80
1/3/2011    HostA      80
1/1/2011    HostB      443
1/2/2011    HostB      443
1/3/2011    HostB      443

How do I filter my table so that only the two most recent events for each host/port combination is displayed?

Thx.

Craig

Tags (1)
Reply

FunPolice
Path Finder
‎02-22-2012 04:39 PM

I may be looking for a similar thing. I want to retrieve all events that match the date/time of the most recent event (because I have an audit script that runs monthly with two fields - Test and Count - and if there is a zero result for a test (the tests may change over time) then it isn't logged:

2012-01-18T22:00:00Z Valid 500
2012-01-18T22:00:00Z Fail-Pwd 3
2012-01-18T22:00:00Z Fail-NoMgr 45
2012-01-18T22:00:00Z Fail-NoExpire 7
2012-01-18T22:00:00Z Pass 1445
2012-02-22T22:25:15Z Valid 500
2012-02-22T22:25:15Z Fail-NoMgr 45
2012-02-22T22:25:15Z Fail-NoExpire 7
2012-02-22T22:25:15Z Pass 1448

Dedup will return a result from last month if there was a zero result this month (in my case, the "Fail-Pwd 3" event), so I use the following:

index="MyIndex" sourcetype="MySourcetype" [metadata index=MyIndex type=sourcetypes | where sourcetype="MySourcetype" | eval earliest = lastTime | fields earliest]

This gives me every event with a timestamp that's the same as the most recent event.

Reply

sideview
SplunkTrust
SplunkTrust
‎01-20-2011 07:04 AM

All you need is this on the end of your search: 

<your search>  | dedup 2 Host Port

Usually dedup only keeps the last row for each value, but you can tell it to keep the last N rows instead.

http://www.splunk.com/base/Documentation/latest/SearchReference/Dedup

Reply

sideview
SplunkTrust
SplunkTrust
‎01-23-2011 06:47 PM

It actually sounds like in your comment you're asking an entirely different question which is a bit confusing. And the answer to the second question is just "use the time controls to restrict your search to just that one date"?

0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎01-20-2011 11:20 PM

Let me see if I get it -- so you want to see 2 events for each host+port combination, unless they're on different days in which case you only want to show the most recent of the two dates?

0 Karma
Reply

jambajuice
Communicator
‎01-20-2011 09:27 PM

What about if I only want to see events from the 1/3/2011 date? I've tried dedup 1 host date, but I'm seeing one record from each date rather than all results from the most recent date.

Thanks for your help!!

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...