Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Search Help : How to list latest raw event for a field by index and sourcetype?

harshal_chakran
Builder
‎04-16-2019 01:48 AM

Hi all,
How to form a table to display latest raw event for field mentioned by index and source type.

This is the output am planning as below:
alt text

The maximum I am able to reach is listing field values but not raw events containing that field.
Any help is appreciated.

Thanks in Advance

Preview file
9 KB
0 Karma
Reply

FrankVl
Ultra Champion
‎04-16-2019 02:15 AM

Do you need this for a few specific fields, known up front, or are you looking for a more generic solution somehow?

If some specific known fields, I guess something along the lines of below should work.

index=* Field_1=*
| stats latest(_raw) as F1_raw by index,sourcetype
| append [
index=* Field_2=*
| stats latest(_raw) as F2_raw by index,sourcetype
]
| stats values(F1_raw) as Field_1 values(F2_raw) as Field_2 by index,sourcetype
0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...