Solved: Results from latest monitored file only (source)

EricPartington · ‎12-18-2011

I have a file monitor sending the contents of a file to splunk. I would like to save a search that only displays results from the latest file that splunk imports.

how would I do this?

I can do it for each file specifically but I would rather have a saved search that selects the latest file (source) by date

Must be something simple that I am missing, just cant think of the solution at the moment.

kristian_kolb · ‎12-19-2011

If these files always come from a the same unique host (or sourcetype), you should get the desired results with the following search;

sourcetype=<your_sourcetype> [search sourcetype=<your_sourcetype> | head 1 | fields + source]

hope this helps,

Kristian

View solution in original post

kristian_kolb · ‎12-19-2011

If these files always come from a the same unique host (or sourcetype), you should get the desired results with the following search;

sourcetype=<your_sourcetype> [search sourcetype=<your_sourcetype> | head 1 | fields + source]

hope this helps,

Kristian

thisissplunk · ‎05-04-2016

What if they don't always come from the same host?

Results from latest monitored file only (source)

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms