Summary: how to get most recent vents for a given ID (for dummies)
I have data in the following format:
# OStime OSip OSreg OSstatus 1340406378 10.34.245.50 AG "NO TM" 1340406378 10.34.245.64 AG "NO TM" 1340406378 10.34.245.65 AG "NO TM"
OStime (which is correctly recognized as a timestamp) is unique to a set of data - there are many
OStime entries in the index but I am only interested in the most recent one.
... | stats first(OStime)
correctly shows me the first instance of
I then tried to do use it in an eval to get only data corresponding to this timestamp
... | eval mostrecent = stats first(OStime) | search OStime=mostrecent
This fails with a "Error in 'eval' command: The operator at 'first(OStime)' is invalid."
Thans in davnce for pointing me what is wrong, I looked at the examples in the documentation for eval, they look like mine except that they work 🙂
eval works on a per-event basis, so stats commands for operating on multiple events doesn't apply.
Splunk should already have indexed your data so that it uses OStime as its internal timestamp as well. In that case, getting the most recent event could be achieved like this:
... | head 1
I believe that there is a bit of confusion of concepts.
stats operates on the whole set of events returned from the base search, and in your case you want to extract a single value from that set.
eval creates a new field for all events returned in the search. Creating a new field called 'mostrecent' for all events is probably not what you intended.
Also if you look more closely at the documentation for
eval, you will see that
stats is not a valid function to
The default behaviour of Splunk is to return the most recent events first, so if you just want the find all events that have the same
OStime as the most recent event you can use the
head command in a subsearch;
sourcetype=your_sourcetype [search sourcetype=your_sourcetype | head 1 | fields + OStime]
The subsearch (within the square brackets) returns the field OStime (along with its value) for the most recent event (head 1) and adds it to the outer search, so that the main search reads something like;
Hope this helps,