Solved: How to select values from not the current source b...

PBerry7538 · ‎04-11-2019

So I know that the following will allow me to search and just to select values from the current sourcetype :

[search index= sourcetype="" | stats latest(source) as source | return source] < SPL QUERY>

But i would like to select values from the previous current source ( I am sorry if explaining badly) . Please could anyone help me with how I could do that.

Many Thanks

whrg · ‎04-11-2019

Try this:

[search index=...  sourcetype=... | dedup source | head 2 | reverse | head 1 | return source] < SPL-QUERY>

Alternatively:

[search index=... sourcetype=... | dedup source | streamstats count | search count=2 | return source] < SPL-QUERY>

View solution in original post

PBerry7538 · ‎04-11-2019

@whrg
Thanks very much ! That worked a treat

whrg · ‎04-11-2019

Try this:

[search index=...  sourcetype=... | dedup source | head 2 | reverse | head 1 | return source] < SPL-QUERY>

Alternatively:

[search index=... sourcetype=... | dedup source | streamstats count | search count=2 | return source] < SPL-QUERY>

How to select values from not the current source but from the previous source

September Community Champions: A Shoutout to Our Contributors!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Are you a member of the Splunk Community?

How to select values from not the current source but from the previous source

September Community Champions: A Shoutout to Our Contributors!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025