Search with a dynamic time window to find the most...

JWBailey · ‎06-03-2015

I have splunk monitoring a location that receives uploaded files. The file is uploaded once a day, at unknown times.

Is it possible to write a search such that it will use only the most recent uploaded set of data? I could write it to use “yesterday” as the time window, but if today’s data has already been uploaded I would like to use it. I also need to be aware that it is possible to upload a file at 11:55PM and again at 12:05 AM, I need to make sure my search doesn’t include both of these data sets.

Thanks for the assistance.

woodcock · ‎06-03-2015

Try this (search with a timepicker value that is long enough to always include the oldest possible set of data that might also be the newest):

... | stats (first)source AS newest | where source=newest

JWBailey · ‎06-03-2015

I don't see how this works. Once I use the stats command, don't I lose all the other fields that contain the data I am using to generate my results?

woodcock · ‎06-03-2015

Yes, I meant this:

... | stats (first)source AS newest | map search="source=$newest$"

Search with a dynamic time window to find the most recent set of specific events.

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...