Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: if multiple events at different time, only ret...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
if multiple events at different time, only return most recent events based on a field
Hi,
I've got a search that returns me the following results:
Basically, I would like to only keep the most recent events for an IPAddress IF the field IPAddress has multiple events at 2 different time and discard the oldest event. In the case of the screenshot above, I would like to remove the highlighted line.
Would that be possible? Let me know if you need more information.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Add this to the bottom of your existing search:
... | streamstats count BY _time IPAddress
| where count == 1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just add this to the bottom:
... | dedup IPAddress
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
This won't work because I still need to see all events for an IPAddress. This will only show me one event per IP.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See my new answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Base on the example you provided
| stats values(pluginID) as pluginID by _time, IPAddress delim=","
| slats latest(pluginID) as pluginID, max(_time) as _time by IPAddress
| eval pluginID=split(pluginID,",")
| mvexpand pluginID
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Unfortunately this is not working as it only shows one event for IP3 and not 2 events as shown in the OP screenshot.
This is the output:
IPAddress pluginID _time
IP1 94932 2019-11-01 04:19:23
IP2 46172 2019-11-08 20:32:25
IP3 108797 2019-10-31 02:00:21
What I would like is still keep both events for IP3 as per below:
IPAddress pluginID _time
IP1 94932 2019-11-01 04:19:23
IP2 46172 2019-11-08 20:32:25
IP3 108797 2019-10-31 02:00:21
IP3 84729 2019-10-31 02:00:21
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
looks like latest is converting the mv field to a single value. Edited my answer. Please give it a try.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
