Solved: Re: search the latest event by key

wood1986 · ‎10-17-2013

I have these events

2013-10-13T12:00:25+0000 {"id":1, "meta":["a", "b"]}
2013-10-13T12:10:11+0000 {"id":1, "meta":["a", "b", "c"]}

2013-10-13T12:30:11+0000 {"id":2, "meta":["a", "b"]}
2013-10-13T12:40:11+0000 {"id":2, "meta":["a"]}

I want to return the latest event by id. like the followings.

2013-10-13T12:10:11+0000 {"id":1, "meta":["a", "b", "c"]}
2013-10-13T12:40:11+0000 {"id":2, "meta":["a"]}

I have a subquery which can return

id  _time
----------------------------
1   timestamp(2013-10-13T12:10:11+0000)
2   timestamp(2013-10-13T12:40:11+0000)

How "search" work with my subquery?

gkanapathy · ‎10-17-2013

... | dedup id

will do it.

View solution in original post

gkanapathy · ‎10-17-2013

... | dedup id

will do it.

demodav · ‎11-24-2015

This doesn't seem to work if you have a search string included.

wood1986 · ‎10-17-2013

I thought "dedup" only remove the exact same content regardless of the _time. Now it works for me

search the latest event by key

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms