Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to restrict events based on the time range?

bollam
Path Finder
‎06-21-2018 12:09 AM

Hello,

I have a script which runs every 4 hours and the output is written to Splunk, Everyday six are being written to Splunk.
I need to restrict events based on the time range I select, For an instance, When I look for the last 24 hours I need only one event to be shown, but actually there are six events in the last 24 hours, Similarly when I check for the last 7 days I need to see only 7 events i.e., one event from each day need to be displayed. I'm not sure if it's possible.

Tags (1)
0 Karma
Reply

FrankVl
Ultra Champion
‎06-21-2018 12:18 AM

Try adding this to your search:

| bin _time span=1d | dedup _time

I think this gets you the last event of each day.

Reply

bollam
Path Finder
‎06-21-2018 01:34 AM

Thanks FrankVI for the prompt response!! It worked!!

0 Karma
Reply

FrankVl
Ultra Champion
‎06-21-2018 01:42 AM

You're welcome 🙂

Please mark the answer as accepted, so this can easily be found by others with the same question in the future 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...