Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

last dataset from all events

alexeysharkov
Path Finder
‎06-17-2021 10:34 PM

Hello im newbie with Splunk search

Can you please help me

I have HF request which return:

-AAA  datetime_of_change

-BBB datetime_of_change

Every halfhour i get the same dataset from DB to INDEX

I have to get latest dataset (not latest row!)

 

 

 

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-18-2021 01:08 AM

Try this

| eval _time=strptime(CHGDATE,"%Y-%m-%d %H:%M:%S.%Q")
| stats latest(*) as * by DATA

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-18-2021 12:14 AM

Splunk works on being told what the data in the events looks like - the community works in a similar way. If you give us more information about the data you have in your events, it is easier for us to suggest solutions.

0 Karma
Reply
Solved! Jump to solution

alexeysharkov
Path Finder
‎06-18-2021 12:36 AM

For example:

Snapshot 1 from DB

Event _1  DATA=AAA CHGDATE=16.06.2021 11:03

Event _2 DATA=BBB CHGDATE=16.06.2021 11:04

Snapshot 2 from db

Event _3  DATA=AAA CHGDATE=17.06.2021 11:03

Event _4 DATA=BBB CHGDATE=17.06.2021 11:04

Snapshot 3 from db

Event _5  DATA=AAA CHGDATE=17.06.2021 15:03

Event _6 DATA=BBB CHGDATE=17.06.2021 15:04

 

 

I have to get last snapshot data. That's :

Snapshot 3 from db

Event _5  DATA=AAA CHGDATE=17.06.2021 15:03

Event_6 DATA=BBB CHGDATE=17.06.2021 15:04

 

0 Karma
Reply
Solved! Jump to solution

alexeysharkov
Path Finder
‎06-18-2021 12:50 AM

x.PNG

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-18-2021 01:08 AM

Try this

| eval _time=strptime(CHGDATE,"%Y-%m-%d %H:%M:%S.%Q")
| stats latest(*) as * by DATA
Reply
Solved! Jump to solution

alexeysharkov
Path Finder
‎06-18-2021 01:24 AM

It work fine , but how to get 

in result: DATA,CHGDATE

sorry it very very difficult for me 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-18-2021 01:31 AM 
| eval _time=strptime(CHGDATE,"%Y-%m-%d %H:%M:%S.%Q")
| stats latest(*) as * by DATA
| table DATA CHGDATE
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-18-2021 12:43 AM

Try something like this (assumes CHGDATE is an epoch datetime, otherwise use strptime to parse the string to get an epoch datetime)

| eval _time=CHGDATE
| stats latest(*) as * by DATA
0 Karma
Reply
Solved! Jump to solution

alexeysharkov
Path Finder
‎06-18-2021 12:59 AM

Just like in SQL Style:

 

select * from splunk_log where _time=

(select max(_time) from splunk_log)

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-18-2021 01:39 AM

SPL is not SQL - SPL works on a pipeline of events being processed and passed on to the next step in the process. If it helps, think of it like a bash script

cat file | grep "value" | sort

Each command passes the results through stdout to the stdin of the next command and only the data in that stdout/stdin pipe gets passed

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...