Splunk Search

Results from latest monitored file only (source)

EricPartington
Communicator

I have a file monitor sending the contents of a file to splunk. I would like to save a search that only displays results from the latest file that splunk imports.

how would I do this?

I can do it for each file specifically but I would rather have a saved search that selects the latest file (source) by date

Must be something simple that I am missing, just cant think of the solution at the moment.

0 Karma
1 Solution

kristian_kolb
Ultra Champion

If these files always come from a the same unique host (or sourcetype), you should get the desired results with the following search;

sourcetype=<your_sourcetype> [search sourcetype=<your_sourcetype> | head 1 | fields + source]

hope this helps,

Kristian

View solution in original post

kristian_kolb
Ultra Champion

If these files always come from a the same unique host (or sourcetype), you should get the desired results with the following search;

sourcetype=<your_sourcetype> [search sourcetype=<your_sourcetype> | head 1 | fields + source]

hope this helps,

Kristian

View solution in original post

thisissplunk
Builder

What if they don't always come from the same host?

0 Karma

Tune In & Win!

Don't miss out on your
chance to take home free
prizes by helping our players
save the Splunk Cloudom!

Dungeons & Data
Monsters: Splunk O11y
Day Editions Games
stream live:
5/4 at 6:30pm PST
5/5 at 7:00pm PST
on