Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

if multiple events at different time, only return most recent events based on a field

salt87
Engager
‎11-09-2019 12:26 PM

Hi,

I've got a search that returns me the following results:

Basically, I would like to only keep the most recent events for an IPAddress IF the field IPAddress has multiple events at 2 different time and discard the oldest event. In the case of the screenshot above, I would like to remove the highlighted line.

Would that be possible? Let me know if you need more information.

Thanks

Tags (1)
Preview file
20 KB
0 Karma
Reply

woodcock
Esteemed Legend
‎11-10-2019 02:48 PM

Add this to the bottom of your existing search:

... | streamstats count BY _time IPAddress
| where count == 1
0 Karma
Reply

woodcock
Esteemed Legend
‎11-09-2019 03:16 PM

Just add this to the bottom:

... | dedup IPAddress
0 Karma
Reply

salt87
Engager
‎11-10-2019 12:50 PM

Hi,

This won't work because I still need to see all events for an IPAddress. This will only show me one event per IP.

0 Karma
Reply

woodcock
Esteemed Legend
‎11-10-2019 02:49 PM

See my new answer.

0 Karma
Reply

arjunpkishore5
Motivator
‎11-09-2019 01:24 PM

Base on the example you provided

| stats values(pluginID) as pluginID by _time, IPAddress delim=","
| slats latest(pluginID) as pluginID, max(_time) as _time by IPAddress
| eval pluginID=split(pluginID,",")
| mvexpand pluginID
0 Karma
Reply

salt87
Engager
‎11-10-2019 01:03 PM

Hi,

Unfortunately this is not working as it only shows one event for IP3 and not 2 events as shown in the OP screenshot.

This is the output:
IPAddress pluginID _time
IP1 94932 2019-11-01 04:19:23
IP2 46172 2019-11-08 20:32:25
IP3 108797 2019-10-31 02:00:21

What I would like is still keep both events for IP3 as per below:

IPAddress pluginID _time
IP1 94932 2019-11-01 04:19:23
IP2 46172 2019-11-08 20:32:25
IP3 108797 2019-10-31 02:00:21
IP3 84729 2019-10-31 02:00:21

Thanks

0 Karma
Reply

arjunpkishore5
Motivator
‎11-10-2019 02:49 PM

looks like latest is converting the mv field to a single value. Edited my answer. Please give it a try.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...