Splunk Search

last dataset from all events

alexeysharkov
Path Finder

Hello im newbie with Splunk search

Can you please help me

I have HF request which return:

-AAA  datetime_of_change

-BBB datetime_of_change

Every halfhour i get the same dataset from DB to INDEX

I have to get latest dataset (not latest row!)

 

 

 

 

 

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Try this

| eval _time=strptime(CHGDATE,"%Y-%m-%d %H:%M:%S.%Q")
| stats latest(*) as * by DATA

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Splunk works on being told what the data in the events looks like - the community works in a similar way. If you give us more information about the data you have in your events, it is easier for us to suggest solutions.

0 Karma

alexeysharkov
Path Finder

For example:

Snapshot 1 from DB

Event _1  DATA=AAA CHGDATE=16.06.2021 11:03

Event _2 DATA=BBB CHGDATE=16.06.2021 11:04

Snapshot 2 from db

Event _3  DATA=AAA CHGDATE=17.06.2021 11:03

Event _4 DATA=BBB CHGDATE=17.06.2021 11:04

Snapshot 3 from db

Event _5  DATA=AAA CHGDATE=17.06.2021 15:03

Event _6 DATA=BBB CHGDATE=17.06.2021 15:04

 

 

I have to get last snapshot data. That's :

Snapshot 3 from db

Event _5  DATA=AAA CHGDATE=17.06.2021 15:03

Event_6 DATA=BBB CHGDATE=17.06.2021 15:04

 

0 Karma

alexeysharkov
Path Finder

x.PNG

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try this

| eval _time=strptime(CHGDATE,"%Y-%m-%d %H:%M:%S.%Q")
| stats latest(*) as * by DATA

alexeysharkov
Path Finder

It work fine , but how to get 

in result: DATA,CHGDATE

sorry it very very difficult for me 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| eval _time=strptime(CHGDATE,"%Y-%m-%d %H:%M:%S.%Q")
| stats latest(*) as * by DATA
| table DATA CHGDATE
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this (assumes CHGDATE is an epoch datetime, otherwise use strptime to parse the string to get an epoch datetime)

| eval _time=CHGDATE
| stats latest(*) as * by DATA
0 Karma

alexeysharkov
Path Finder

Just like in SQL Style:

 

select * from splunk_log where _time=

(select max(_time) from splunk_log)

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

SPL is not SQL - SPL works on a pipeline of events being processed and passed on to the next step in the process. If it helps, think of it like a bash script

cat file | grep "value" | sort

Each command passes the results through stdout to the stdin of the next command and only the data in that stdout/stdin pipe gets passed

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...