Splunk Search

How to get previous records in splunk

Loves-to-Learn Lots


I have multiple records with different data_set value. I want to get each data_set record at a time. So tried using count when count is 1 display n-1 record if count is 2 display n-2 record and so on..

I tried using dedup but the list of column will vary so data mismatch was happening. So thought to get the data based on data_timestamp which is the data specific time.  With this I am only able to get the latest record by using the latest timestamp by field. But not able to fetch n-1, n-2 etc... records data_timestamp

Here is the query used to get the latest record:





index="test" source="test_source" | where data = "data_1" and data_set IN ("set_1",set_2","set_2") and data_tag = "tag_1" | stats latest(data_timestamp) as data_timestamp by data_set | table data_timestamp | format





Labels (5)
0 Karma