- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to get the first event from a search AND get 1...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
How to get the first event from a search AND get only 1 event in a timechart by source ? (and not "by source, span interval):
If I try this search:
index=blabla sourcetype=blabla source=blabla1 "MySpecificFilter" | table _time, source, mySpecificValue
I can get for example 10 events in my source blabla1, 15 in the source blabla2, ... I want to select, for each source, the first one and to chart them with a timechart command.
Thank's in advance for help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dedup is your friend
index=blabla sourcetype=blabla source=blabla1 "MySpecificFilter" | dedup source | table _time, source, mySpecificValue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Martin,
Thank you for your message. Yes I agree: difficult to visualize the need, sorry.
_time source mySpecificValue
2016-11-15 13:17:04 E:\myLog\2016_1115_1222_3816.log 41497
2016-11-15 13:14:23 E:\myLog\2016_1115_1222_3816.log 41497
2016-11-15 13:11:42 E:\myLog\2016_1115_1222_3816.log 41170
2016-11-15 13:09:01 E:\myLog\2016_1115_1222_3816.log 40889
2016-11-15 13:06:18 E:\myLog\2016_1115_1222_3816.log 42621
2016-11-15 13:03:37 E:\myLog\2016_1115_1222_3816.log 41529
2016-11-15 13:00:54 E:\myLog\2016_1115_1222_3816.log 42501
2016-11-15 12:57:10 E:\myLog\2016_1115_1222_3816.log 103884
2016-11-15 12:24:19 E:\myLog\2016_1115_1222_3816.log 1.8514e+006
2016-11-16 13:17:04 E:\myLog\2016_1116_1222_3816.log 9872
2016-11-16 13:14:23 E:\myLog\2016_1116_1222_3816.log 1645
2016-11-16 13:11:42 E:\myLog\2016_1116_1222_3816.log 41684
2016-11-16 13:09:01 E:\myLog\2016_1116_1222_3816.log 15438
2016-11-16 13:06:18 E:\myLog\2016_1116_1222_3816.log 15879
2016-11-16 13:03:37 E:\myLog\2016_1116_1222_3816.log 1234
2016-11-16 13:00:54 E:\myLog\2016_1116_1222_3816.log 4254
2016-11-16 12:57:10 E:\myLog\2016_1116_1222_3816.log 5442
2016-11-16 12:24:19 E:\myLog\2016_1116_1222_3816.log 123456
Every days I get this type of logs (example of export from splunk with the query above). In one use case, I need to chart only the first event by source because they have a particular meaning, so:
2016-11-15 12:24:19 E:\myLog\2016_1115_1222_3816.log 1.8514e+006
2016-11-16 12:24:19 E:\myLog\2016_1116_1222_3816.log 123456
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like @martin_mueller mentioned, timechart of a single value might not be of great value, but still check if this might suit your need:
index=blabla sourcetype=blabla source=blabla1 "MySpecificFilter"
| chart latest(mySpecificValue) over _time by source
OR
index=blabla sourcetype=blabla source=blabla1 "MySpecificFilter"
| timechart latest(mySpecificValue) by source
Depending on what you consider as the first value i.e. earliest, latest , first, last, use the appropriate function in chart command.
Reference of these functions can be found here.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your answer,
Unfortunately it does not work because all the events are returned (despite of using first or earliest...
I think 'dedup is my friend' as sundareshr mentioned.
Arnaud
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is that timechart of one value supposed to look like?
A little more background on your data and use case might help give a more useful answer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dedup is your friend
index=blabla sourcetype=blabla source=blabla1 "MySpecificFilter" | dedup source | table _time, source, mySpecificValue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, it could help:
If I try my query as yours but by completing with a sort option, it seems working:
index=blabla sourcetype=blabla source=blabla1 "MySpecificFilter" | dedup source sortby +_time | table _time, source, mySpecificValue
--> I get the good result.
Arnaud
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
