Splunk Search
Highlighted

search the latest event by key

Explorer

I have these events

2013-10-13T12:00:25+0000 {"id":1, "meta":["a", "b"]}
2013-10-13T12:10:11+0000 {"id":1, "meta":["a", "b", "c"]}

2013-10-13T12:30:11+0000 {"id":2, "meta":["a", "b"]}
2013-10-13T12:40:11+0000 {"id":2, "meta":["a"]}

I want to return the latest event by id. like the followings.

2013-10-13T12:10:11+0000 {"id":1, "meta":["a", "b", "c"]}
2013-10-13T12:40:11+0000 {"id":2, "meta":["a"]}

I have a subquery which can return

id  _time
----------------------------
1   timestamp(2013-10-13T12:10:11+0000)
2   timestamp(2013-10-13T12:40:11+0000)

How "search" work with my subquery?

Tags (1)
0 Karma
Highlighted

Re: search the latest event by key

Splunk Employee
Splunk Employee
... | dedup id

will do it.

View solution in original post

0 Karma
Highlighted

Re: search the latest event by key

Explorer

I thought "dedup" only remove the exact same content regardless of the _time. Now it works for me

0 Karma
Highlighted

Re: search the latest event by key

Path Finder

This doesn't seem to work if you have a search string included.

0 Karma