Splunk Search

How to create a report on the results of the latest events only?



I am trying to create a report that only looks at the latest events by a sourcetype.
The sourcetype is an indexed text file, and it its pulls in the events every time the file changes.

This is the working search:

index=ops sourcetype="csv-marketData" earliest=-12h@h |  where Price!="NA" 
| eval cal_mkt_cap=round(Share_Outstanding * Price,3) 
| eval rnd_MKT_CAP = round(MARKET_CAP,3) 
| eval perc_range = (cal_mkt_cap / rnd_MKT_CAP)*100
| where perc_range < 99
| eval rnd_perc = round(perc_range,2)
| rename cal_mkt_cap as "Calculated MKT CAP" 
| rename rnd_MKT_CAP as "Provided MKT CAP"
| rename rnd_perc as "%"
| table ID "Calculated MKT CAP" "Provided MKT CAP" "%"

I would like this table to only show results from the latest set of events. each event set has the same _time value. new events can come in minutes apart of once daily, so I would like to always be reviewing the indexed file.

Thanks for your help.

0 Karma


You can run your search on the basis of indexed time and only use the events that are latest. That is, if you run the search every 4 hours, you can write a query to search for events in indexed time-stamps in those four hours and sort it. That should give you a headstart.

0 Karma

Revered Legend

So you want to see latest record for each (assuming ID is something unique) OR latest records for a day?

0 Karma


Latest records for each ID. Yes ID is Unique.

Each time the file is updated every row is indexed, i want to always be working with the latest version of the file.

for example,
There could be data for at 8:53AM and 9:01AM, I want the 9:01AM (latest) version of all the ID's to then run my evaluations and reports against.

Hopefully thats clear, I can try to get a snippet of the events if that makes it easier to explain.

0 Karma

Revered Legend

I'm assuming the file name remains the same, it's being updated. Based on a statement that you wrote in the question (new events can come in minutes apart of once daily), I believe something like this could work:

index=ops sourcetype="csv-marketData" [| tstats max(_time) as _time WHERE index=ops sourcetype="csv-marketData" earliest=-12h | bucket span=1m _time | eval earliest=_time | eval latest=_time+60 | table earliest latest | format "" "" "" "" "" "" ] 
 |  where Price!="NA" 
 | eval cal_mkt_cap=round(Share_Outstanding * Price,3) 
 | eval rnd_MKT_CAP = round(MARKET_CAP,3) 
 | eval perc_range = (cal_mkt_cap / rnd_MKT_CAP)*100
 | where perc_range < 99
 | eval rnd_perc = round(perc_range,2)
 | rename cal_mkt_cap as "Calculated MKT CAP" 
 | rename rnd_MKT_CAP as "Provided MKT CAP"
 | rename rnd_perc as "%"
 | table ID "Calculated MKT CAP" "Provided MKT CAP" "%"
0 Karma


Spot on! Thank you.

I admit my attempt to solve this was not even close.

0 Karma
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...