Here is an expensive way with ugly output using the map command
| stats count | eval host="host_a,host_b,host_c" | makemv delim="," host | mvexpand host | map search="search host=$host$ | head 1 "
Using your CSV file it might look like this...
| stats count | inputlookup=host_csv | map search="search host=$host$ | head 1 "
Sorry, maybe I explained this incorrectly. I have a bunch of host that forward logs to Splunk in the form of a csv line every min. I want to do a search of every host, but only get the last line of the log that has been forwarded by the host. So instead of searching every event on each host, I just need to grab the last event for a sourcetype.
Here is what I use now and it works, but I think it's seaching every event. I only want it to look at the last event for every host to speed up the search. sourcetype="my source" | where AvailableD < 100 | dedup host | sort AvailableD a |table host,Available_D
I'd probably abstract this into a lookup file holding state. Specifically, keep in your lookup file the most recent event per host. When you update it incrementally, it is cheap -- and getting the current state from the lookup is super cheap.
A similar answer is here:
I tried that, but have not gotten it to work yet. I would think there would be an eaiser way to work with the last line from every host.
I will try to bake up a concrete example today/tonight of doing this via lookup. Check this space.
to get last value of a host field you can use last() function with stats cammand
see the following serch code
sourcetype="my source" | where Available_D < 100 | dedup host |stats last(host) as last_host| sort Available_D a |table last_host Available_D