Splunk Search

last dataset from all events

alexeysharkov
Path Finder

Hello im newbie with Splunk search

Can you please help me

I have HF request which return:

-AAA  datetime_of_change

-BBB datetime_of_change

Every halfhour i get the same dataset from DB to INDEX

I have to get latest dataset (not latest row!)

 

 

 

 

 

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Try this

| eval _time=strptime(CHGDATE,"%Y-%m-%d %H:%M:%S.%Q")
| stats latest(*) as * by DATA

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Splunk works on being told what the data in the events looks like - the community works in a similar way. If you give us more information about the data you have in your events, it is easier for us to suggest solutions.

0 Karma

alexeysharkov
Path Finder

For example:

Snapshot 1 from DB

Event _1  DATA=AAA CHGDATE=16.06.2021 11:03

Event _2 DATA=BBB CHGDATE=16.06.2021 11:04

Snapshot 2 from db

Event _3  DATA=AAA CHGDATE=17.06.2021 11:03

Event _4 DATA=BBB CHGDATE=17.06.2021 11:04

Snapshot 3 from db

Event _5  DATA=AAA CHGDATE=17.06.2021 15:03

Event _6 DATA=BBB CHGDATE=17.06.2021 15:04

 

 

I have to get last snapshot data. That's :

Snapshot 3 from db

Event _5  DATA=AAA CHGDATE=17.06.2021 15:03

Event_6 DATA=BBB CHGDATE=17.06.2021 15:04

 

0 Karma

alexeysharkov
Path Finder

x.PNG

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try this

| eval _time=strptime(CHGDATE,"%Y-%m-%d %H:%M:%S.%Q")
| stats latest(*) as * by DATA

alexeysharkov
Path Finder

It work fine , but how to get 

in result: DATA,CHGDATE

sorry it very very difficult for me 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| eval _time=strptime(CHGDATE,"%Y-%m-%d %H:%M:%S.%Q")
| stats latest(*) as * by DATA
| table DATA CHGDATE
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this (assumes CHGDATE is an epoch datetime, otherwise use strptime to parse the string to get an epoch datetime)

| eval _time=CHGDATE
| stats latest(*) as * by DATA
0 Karma

alexeysharkov
Path Finder

Just like in SQL Style:

 

select * from splunk_log where _time=

(select max(_time) from splunk_log)

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

SPL is not SQL - SPL works on a pipeline of events being processed and passed on to the next step in the process. If it helps, think of it like a bash script

cat file | grep "value" | sort

Each command passes the results through stdout to the stdin of the next command and only the data in that stdout/stdin pipe gets passed

0 Karma
Get Updates on the Splunk Community!

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...