Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do you do a recursive search for the first value from every morning?

GauravSplunxter
Explorer
‎03-08-2019 08:15 AM

Can you run a Splunk search and have it only return the first log value identified at a certain time per day, and then stop searching that day's logs and move onto the next day, repeat, etc. for the width of the Splunk search?

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎03-10-2019 11:52 AM

Many people do not know this but you can string along pairs of earliest and latest like this:

index=* (earliest=@d latest=now) OR (earliest=-1d@d latest=-1d@d+1h) OR ...
| bin _time span=1d
| dedup _time Your Other Fields Here
0 Karma
Reply

niketn
Legend
‎03-10-2019 08:36 AM

@GauravSplunxter community would be able to assist you better if you provide more details with what you have tried so far.

However, maybe use date_hour and date_minute filter in your main search if you are looking for specific log per day and it comes in at a certain time of day. Then you can use first() statistical function along with date_mday (and any other required key field) to capture fist value you are interested in

<yourMainSearch> date_hour IN (yourHourOfDay) AND date_hour IN (yourMinuteOfDay) 
| stats first(someField) as firstEvent by date_mday

Another option would be to try with dedup with date_mday (and any other key field)

<yourMainSearch> date_hour IN (yourHourOfDay) AND date_hour IN (yourMinuteOfDay) 
| reverse
| dedup date_mday
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

maciep
Champion
‎03-09-2019 05:03 AM

maybe you could provide the actual problem you're trying to solve?

Initially, i would say that splunk doesn't work that way, no. You would more likely have to search for all of the data, and then use spl to filter/manipulate results to show the specific events on each day that you want.

0 Karma
Reply

somesoni2
Revered Legend
‎03-08-2019 08:30 AM

Is there a specific time of the day you want to search OR just the first row that day? What's the timeranges that you're going to use with this search?

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...