Solved: Results from latest monitored file only (source)

EricPartington · ‎12-18-2011

I have a file monitor sending the contents of a file to splunk. I would like to save a search that only displays results from the latest file that splunk imports.

how would I do this?

I can do it for each file specifically but I would rather have a saved search that selects the latest file (source) by date

Must be something simple that I am missing, just cant think of the solution at the moment.

kristian_kolb · ‎12-19-2011

If these files always come from a the same unique host (or sourcetype), you should get the desired results with the following search;

sourcetype=<your_sourcetype> [search sourcetype=<your_sourcetype> | head 1 | fields + source]

hope this helps,

Kristian

View solution in original post

kristian_kolb · ‎12-19-2011

If these files always come from a the same unique host (or sourcetype), you should get the desired results with the following search;

sourcetype=<your_sourcetype> [search sourcetype=<your_sourcetype> | head 1 | fields + source]

hope this helps,

Kristian

thisissplunk · ‎05-04-2016

What if they don't always come from the same host?

Results from latest monitored file only (source)

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

Data Management Digest – December 2025

Join the Conversation

Results from latest monitored file only (source)

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

Data Management Digest – December 2025