Splunk Search

Specify using the logs with the last timestamp

rbw78
Communicator

Hello,

Is there a solution to specify in my search to get only the logs with the last timestamp ?

In fact, i have some logs created from a single file, the file is generated frequently and i only want to see the result of the last input into splunk.
I set a unique timestamp on all the logs coming from my file.
Of course i can speficy a time range but i can't be sure to have only the last whole result if i do that.

I didn't see any function in the manual which can do that.

Does there's a way of doing this ?

Tags (3)
0 Karma

MarioM
Motivator

there is an internal field _indextime which you will need to make visible using eval then sort it by the latest,for example like this:

<your search> | eval indextime=_indextime | convert ctime(indextime) | sort - indextime
0 Karma

rbw78
Communicator

Yes this is what i mean, the last events indexed.
Sorry my english isn't perfect 🙂

0 Karma

rbw78
Communicator

any advice ? 🙂

0 Karma

MarioM
Motivator

as i said above by default the flashtimeline it's always the last event first displayed...then do you mean last event received/indexed ?

0 Karma

rbw78
Communicator

My aim is to display only the lastest events and the realtime won't be ok because it used a time range.
The timestamp is just a set of numbers that increase with time

0 Karma

MarioM
Motivator

i am not sure what you mean because by default on the flashtimeline it's always the last event first displayed and if you choose realtime it will be last event too but in real-time

0 Karma

rbw78
Communicator

It would be like "Always display the logs with the higher timestamp"

0 Karma

rbw78
Communicator

The amont of logs contained in my file is never the same, so i can't use this function.
The best way would be to use the timestamp which is the same for the logs stored in a common file.

0 Karma

MarioM
Motivator

what about '| head 1' ?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...