Splunk Search

last dataset from all events

alexeysharkov
Explorer

Hello im newbie with Splunk search

Can you please help me

I have HF request which return:

-AAA  datetime_of_change

-BBB datetime_of_change

Every halfhour i get the same dataset from DB to INDEX

I have to get latest dataset (not latest row!)

 

 

 

 

 

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Try this

| eval _time=strptime(CHGDATE,"%Y-%m-%d %H:%M:%S.%Q")
| stats latest(*) as * by DATA

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Splunk works on being told what the data in the events looks like - the community works in a similar way. If you give us more information about the data you have in your events, it is easier for us to suggest solutions.

0 Karma

alexeysharkov
Explorer

For example:

Snapshot 1 from DB

Event _1  DATA=AAA CHGDATE=16.06.2021 11:03

Event _2 DATA=BBB CHGDATE=16.06.2021 11:04

Snapshot 2 from db

Event _3  DATA=AAA CHGDATE=17.06.2021 11:03

Event _4 DATA=BBB CHGDATE=17.06.2021 11:04

Snapshot 3 from db

Event _5  DATA=AAA CHGDATE=17.06.2021 15:03

Event _6 DATA=BBB CHGDATE=17.06.2021 15:04

 

 

I have to get last snapshot data. That's :

Snapshot 3 from db

Event _5  DATA=AAA CHGDATE=17.06.2021 15:03

Event_6 DATA=BBB CHGDATE=17.06.2021 15:04

 

0 Karma

alexeysharkov
Explorer

x.PNG

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try this

| eval _time=strptime(CHGDATE,"%Y-%m-%d %H:%M:%S.%Q")
| stats latest(*) as * by DATA

alexeysharkov
Explorer

It work fine , but how to get 

in result: DATA,CHGDATE

sorry it very very difficult for me 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| eval _time=strptime(CHGDATE,"%Y-%m-%d %H:%M:%S.%Q")
| stats latest(*) as * by DATA
| table DATA CHGDATE
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this (assumes CHGDATE is an epoch datetime, otherwise use strptime to parse the string to get an epoch datetime)

| eval _time=CHGDATE
| stats latest(*) as * by DATA
0 Karma

alexeysharkov
Explorer

Just like in SQL Style:

 

select * from splunk_log where _time=

(select max(_time) from splunk_log)

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

SPL is not SQL - SPL works on a pipeline of events being processed and passed on to the next step in the process. If it helps, think of it like a bash script

cat file | grep "value" | sort

Each command passes the results through stdout to the stdin of the next command and only the data in that stdout/stdin pipe gets passed

0 Karma
Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...