Solved: Re: Results from latest monitored file only (sourc...

EricPartington · ‎12-18-2011

I have a file monitor sending the contents of a file to splunk. I would like to save a search that only displays results from the latest file that splunk imports.

how would I do this?

I can do it for each file specifically but I would rather have a saved search that selects the latest file (source) by date

Must be something simple that I am missing, just cant think of the solution at the moment.

kristian_kolb · ‎12-19-2011

If these files always come from a the same unique host (or sourcetype), you should get the desired results with the following search;

sourcetype=<your_sourcetype> [search sourcetype=<your_sourcetype> | head 1 | fields + source]

hope this helps,

Kristian

View solution in original post

kristian_kolb · ‎12-19-2011

If these files always come from a the same unique host (or sourcetype), you should get the desired results with the following search;

sourcetype=<your_sourcetype> [search sourcetype=<your_sourcetype> | head 1 | fields + source]

hope this helps,

Kristian

thisissplunk · ‎05-04-2016

What if they don't always come from the same host?

Results from latest monitored file only (source)

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Join the Conversation