Solved: Re: Results from latest monitored file only (sourc...

EricPartington · ‎12-18-2011

I have a file monitor sending the contents of a file to splunk. I would like to save a search that only displays results from the latest file that splunk imports.

how would I do this?

I can do it for each file specifically but I would rather have a saved search that selects the latest file (source) by date

Must be something simple that I am missing, just cant think of the solution at the moment.

kristian_kolb · ‎12-19-2011

If these files always come from a the same unique host (or sourcetype), you should get the desired results with the following search;

sourcetype=<your_sourcetype> [search sourcetype=<your_sourcetype> | head 1 | fields + source]

hope this helps,

Kristian

View solution in original post

kristian_kolb · ‎12-19-2011

If these files always come from a the same unique host (or sourcetype), you should get the desired results with the following search;

sourcetype=<your_sourcetype> [search sourcetype=<your_sourcetype> | head 1 | fields + source]

hope this helps,

Kristian

thisissplunk · ‎05-04-2016

What if they don't always come from the same host?

Results from latest monitored file only (source)

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout