Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get the first event from a search AND get 1 event in a timechart by source?

Arnaud1213
Explorer
‎11-25-2016 06:52 AM

Hi all,
How to get the first event from a search AND get only 1 event in a timechart by source ? (and not "by source, span interval):

If I try this search:

index=blabla sourcetype=blabla source=blabla1 "MySpecificFilter" | table _time, source, mySpecificValue

I can get for example 10 events in my source blabla1, 15 in the source blabla2, ... I want to select, for each source, the first one and to chart them with a timechart command.

Thank's in advance for help.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎11-25-2016 07:27 AM

dedup is your friend

index=blabla sourcetype=blabla source=blabla1 "MySpecificFilter" | dedup source | table _time, source, mySpecificValue

View solution in original post

0 Karma
Reply
Solved! Jump to solution

Arnaud1213
Explorer
‎11-28-2016 01:00 AM

Hi Martin,
Thank you for your message. Yes I agree: difficult to visualize the need, sorry.



    _time           source                  mySpecificValue

    2016-11-15 13:17:04 E:\myLog\2016_1115_1222_3816.log    41497

    2016-11-15 13:14:23 E:\myLog\2016_1115_1222_3816.log    41497

    2016-11-15 13:11:42 E:\myLog\2016_1115_1222_3816.log    41170

    2016-11-15 13:09:01 E:\myLog\2016_1115_1222_3816.log    40889

    2016-11-15 13:06:18 E:\myLog\2016_1115_1222_3816.log    42621

    2016-11-15 13:03:37 E:\myLog\2016_1115_1222_3816.log    41529

    2016-11-15 13:00:54 E:\myLog\2016_1115_1222_3816.log    42501

    2016-11-15 12:57:10 E:\myLog\2016_1115_1222_3816.log    103884

    2016-11-15 12:24:19 E:\myLog\2016_1115_1222_3816.log    1.8514e+006

    2016-11-16 13:17:04 E:\myLog\2016_1116_1222_3816.log    9872

    2016-11-16 13:14:23 E:\myLog\2016_1116_1222_3816.log    1645

    2016-11-16 13:11:42 E:\myLog\2016_1116_1222_3816.log    41684

    2016-11-16 13:09:01 E:\myLog\2016_1116_1222_3816.log    15438

    2016-11-16 13:06:18 E:\myLog\2016_1116_1222_3816.log    15879

    2016-11-16 13:03:37 E:\myLog\2016_1116_1222_3816.log    1234

    2016-11-16 13:00:54 E:\myLog\2016_1116_1222_3816.log    4254

    2016-11-16 12:57:10 E:\myLog\2016_1116_1222_3816.log    5442

    2016-11-16 12:24:19 E:\myLog\2016_1116_1222_3816.log    123456

Every days I get this type of logs (example of export from splunk with the query above). In one use case, I need to chart only the first event by source because they have a particular meaning, so:



    2016-11-15 12:24:19 E:\myLog\2016_1115_1222_3816.log    1.8514e+006

    2016-11-16 12:24:19 E:\myLog\2016_1116_1222_3816.log    123456

0 Karma
Reply
Solved! Jump to solution

gokadroid
Motivator
‎11-26-2016 05:06 PM

Like @martin_mueller mentioned, timechart of a single value might not be of great value, but still check if this might suit your need:

index=blabla sourcetype=blabla source=blabla1 "MySpecificFilter" 
| chart latest(mySpecificValue) over _time by source

OR

index=blabla sourcetype=blabla source=blabla1 "MySpecificFilter" 
| timechart latest(mySpecificValue) by source

Depending on what you consider as the first value i.e. earliest, latest , first, last, use the appropriate function in chart command.
Reference of these functions can be found here.

0 Karma
Reply
Solved! Jump to solution

Arnaud1213
Explorer
‎11-28-2016 01:09 AM

Thank you for your answer,
Unfortunately it does not work because all the events are returned (despite of using first or earliest...
I think 'dedup is my friend' as sundareshr mentioned.
Arnaud

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-26-2016 01:42 PM

What is that timechart of one value supposed to look like?
A little more background on your data and use case might help give a more useful answer

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎11-25-2016 07:27 AM

dedup is your friend

index=blabla sourcetype=blabla source=blabla1 "MySpecificFilter" | dedup source | table _time, source, mySpecificValue
0 Karma
Reply
Solved! Jump to solution

Arnaud1213
Explorer
‎11-28-2016 01:06 AM

Thank you, it could help:
If I try my query as yours but by completing with a sort option, it seems working:



index=blabla sourcetype=blabla source=blabla1 "MySpecificFilter" | dedup source sortby +_time | table _time, source, mySpecificValue

--> I get the good result.

Arnaud

Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...