Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do you do a recursive search for the first val...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do you do a recursive search for the first value from every morning?
Can you run a Splunk search and have it only return the first log value identified at a certain time per day, and then stop searching that day's logs and move onto the next day, repeat, etc. for the width of the Splunk search?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Many people do not know this but you can string along pairs of earliest and latest like this:
index=* (earliest=@d latest=now) OR (earliest=-1d@d latest=-1d@d+1h) OR ...
| bin _time span=1d
| dedup _time Your Other Fields Here
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@GauravSplunxter community would be able to assist you better if you provide more details with what you have tried so far.
However, maybe use date_hour and date_minute filter in your main search if you are looking for specific log per day and it comes in at a certain time of day. Then you can use first() statistical function along with date_mday (and any other required key field) to capture fist value you are interested in
<yourMainSearch> date_hour IN (yourHourOfDay) AND date_hour IN (yourMinuteOfDay)
| stats first(someField) as firstEvent by date_mday
Another option would be to try with dedup with date_mday (and any other key field)
<yourMainSearch> date_hour IN (yourHourOfDay) AND date_hour IN (yourMinuteOfDay)
| reverse
| dedup date_mday
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
maybe you could provide the actual problem you're trying to solve?
Initially, i would say that splunk doesn't work that way, no. You would more likely have to search for all of the data, and then use spl to filter/manipulate results to show the specific events on each day that you want.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there a specific time of the day you want to search OR just the first row that day? What's the timeranges that you're going to use with this search?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
