×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
user-mcuserface
Engager
Member since: ‎11-24-2023
‎11-28-2023
Community Statistics
Posts 2
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎11-24-2023
Activity Feed
View All

Re: Locate latest record by some grouping field

by SplunkTrust in Splunk Search
‎11-27-2023 05:36 AM
1 Karma
‎11-27-2023 05:36 AM
1 Karma
OK. Don't use the _json sourcetype. It's there so that in a poorly configured environment data is somehow at least partially correctly processed but in a production scenario it shouldn't be used. You should define your own sourcetype. As you're probably not using indexed extractions (and you generally shouldn't use them), you need to set proper timestamp extraction settings in your config along with other settings from the so-called great 8. https://lantern.splunk.com/Splunk_Platform/Product_Tips/Data_Management/Configuring_new_source_types Finding latest/oldest event (or any other ordered-first/last event) can be done for example by using head or tail command (optionally sorting the data first; remember that by default Splunk returns events in reverse chronological order - newest first - so sorting might not always be necessary). ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎11-28-2023 02:59 PM
Karma given to
View All