Splunk Search
Highlighted

How to write a search that returns the most recent event for a sourcetype on every host?

Path Finder

I have a csv file on every computer and need to just search the last event for eveyy host. I can't get a search to work without searching every event on every host. I have used dedup, but it still searches every host.

Tags (3)
0 Karma
Highlighted

Re: How to write a search that returns the most recent event for a sourcetype on every host?

Splunk Employee
Splunk Employee

Here is an expensive way with ugly output using the map command

| stats count 
| eval host="host_a,host_b,host_c" 
| makemv delim="," host 
| mvexpand host 
| map search="search host=$host$ | head 1 "

Using your CSV file it might look like this...

| stats count 
| inputlookup=host_csv 
| map search="search host=$host$ | head 1 "

Better Solution

Actually, host info can be queried by metadata so this "Most recent event from each source?" answer from Ayn may be adapted to solve this problem more neatly.

0 Karma
Highlighted

Re: How to write a search that returns the most recent event for a sourcetype on every host?

Path Finder

Sorry, maybe I explained this incorrectly. I have a bunch of host that forward logs to Splunk in the form of a csv line every min. I want to do a search of every host, but only get the last line of the log that has been forwarded by the host. So instead of searching every event on each host, I just need to grab the last event for a sourcetype.

0 Karma
Highlighted

Re: How to write a search that returns the most recent event for a sourcetype on every host?

Path Finder

Here is what I use now and it works, but I think it's seaching every event. I only want it to look at the last event for every host to speed up the search. sourcetype="my source" | where AvailableD < 100 | dedup host | sort AvailableD a |table host,Available_D

0 Karma
Highlighted

Re: How to write a search that returns the most recent event for a sourcetype on every host?

SplunkTrust
SplunkTrust

I'd probably abstract this into a lookup file holding state. Specifically, keep in your lookup file the most recent event per host. When you update it incrementally, it is cheap -- and getting the current state from the lookup is super cheap.

A similar answer is here:

http://answers.splunk.com/answers/216701/how-to-send-an-alert-email-the-first-time-since-th.html

Highlighted

Re: How to write a search that returns the most recent event for a sourcetype on every host?

Path Finder

I tried that, but have not gotten it to work yet. I would think there would be an eaiser way to work with the last line from every host.

0 Karma
Highlighted

Re: How to write a search that returns the most recent event for a sourcetype on every host?

SplunkTrust
SplunkTrust

I will try to bake up a concrete example today/tonight of doing this via lookup. Check this space.

0 Karma
Highlighted

Re: How to write a search that returns the most recent event for a sourcetype on every host?

Path Finder

great, let me know if you come up with something

0 Karma
Highlighted

Re: How to write a search that returns the most recent event for a sourcetype on every host?

Motivator

Hi chadman
to get last value of a host field you can use last() function with stats cammand

see the following serch code

    sourcetype="my source" | where Available_D < 100 | dedup host |stats last(host) as last_host| sort Available_D a |table  last_host  Available_D 
0 Karma