Solved: How to get results only from latest source file of...

avni26 · ‎10-16-2019

HI,
I got an index which send data to sourcetype with new source file every week.
what I want is to my dashboard search query only return events from the latest source file.
For example , my index is - index_sdx2 sourctype is -- splunk_data and there are multiple sources inside this sourcetype like data1.csv data1_10082019.csv data1_11102019.csv
And I want to take only data from latest source , that is all events from source= data1_11102019.csv
I tried like below
index="index_sdx2" sourcetype=splunk_data |eventstats first(_time) as time | where _time==time
But its not giving all data from source data1_11102019.csv
please suggest.

knielsen · ‎10-16-2019

I think

index="index_sdx2" sourcetype=splunk_data [search index="index_sdx2" sourcetype=splunk_data | head 1 | fields source]

should work.

View solution in original post

knielsen · ‎10-16-2019

I think

index="index_sdx2" sourcetype=splunk_data [search index="index_sdx2" sourcetype=splunk_data | head 1 | fields source]

should work.

avni26 · ‎10-16-2019

@knielsen, yes its working.Thank you. But performance is slow. Its taking too much time load in dashboard.

How to get results only from latest source file of particular sourcetype

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio