Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Most efficient to find most recent eventtype by host

vbumgarner
Contributor
‎06-15-2011 10:01 AM

It is easy and fast to get the last event logged by a particular host using metadata, but has anyone concocted an efficient way to find the most recent event matching a particular eventtype or query by host?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎06-15-2011 10:32 AM

Other than

eventtype=myeventtype host=myhost | head 1

I can't think of a better or more efficient way. If you need the most recent one for every host, I would look into using the map command.

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎06-15-2011 10:32 AM

Other than

eventtype=myeventtype host=myhost | head 1

I can't think of a better or more efficient way. If you need the most recent one for every host, I would look into using the map command.

Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎06-15-2011 02:23 PM

depends how many hosts, how many events, how the events from each host are interleaved.

0 Karma
Reply
Solved! Jump to solution

vbumgarner
Contributor
‎06-15-2011 01:55 PM

I think map may work, but it's certainly not efficient, and gives no indication of progress. In Jobs, you simply see "subsearch" for each search that it runs.

|metadata type=hosts | fields host | map maxsearches=10000 search="search eventtype=foo host=$host$ | head 1" | fields _time host

It may simply be more efficient to search for the eventtype over all time and use stats max(_time) by host.

0 Karma
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...