Splunk Search

Search Help : How to list latest raw event for a field by index and sourcetype?

harshal_chakran
Builder

Hi all,
How to form a table to display latest raw event for field mentioned by index and source type.

This is the output am planning as below:
alt text

The maximum I am able to reach is listing field values but not raw events containing that field.
Any help is appreciated.

Thanks in Advance

0 Karma

FrankVl
Ultra Champion

Do you need this for a few specific fields, known up front, or are you looking for a more generic solution somehow?

If some specific known fields, I guess something along the lines of below should work.

index=* Field_1=*
| stats latest(_raw) as F1_raw by index,sourcetype
| append [
index=* Field_2=*
| stats latest(_raw) as F2_raw by index,sourcetype
]
| stats values(F1_raw) as Field_1 values(F2_raw) as Field_2 by index,sourcetype
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...