Solved: Re: How do i filter out all but the most recent re...

musgrape · ‎06-15-2015

I'd like to create a search that allows me to filter out all the old results and only give me back the latest result for a given field value.
How can I do this? (similar to the latest in the stats command but for the actual results)

For example given the following results:
2015-05-01 Version:1.34 user:b
2015-04-01 Version:1.2 user:a
2015-03-03 Version: 1.34 user:a
2015-02-03 Version: 1.2 user:b

I only want to see the following:
2015-04-01 Version:1.2 user:a
2015-05-01 Version:1.34 user:b

i.e. I only want to see the latest version per user.

woodcock · ‎06-15-2015

Like this:

... | dedup user

View solution in original post

cmeinco · ‎06-15-2015

use the last function:

stats last(version) by user

http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/CommonStatsFunctions

woodcock · ‎06-15-2015

Like this:

... | dedup user

musgrape · ‎06-15-2015

Perfect thanks. This worked for me:
dedup user sortby -_time | table...

How do i filter out all but the most recent results for a particular field

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases