We use splunk to generate reports and provide them to an external application (Tableau). The data source are csv file using the following naming standard:
tableau_idwallet_workdate_iddollaru.csv
idwallet=A unique identification number of a customer portfolio
workdate=A processing date
iddollaru=A session number that increases with each generation of csv
Most often we have to provide a report that returns all provided with simple queries:
index = idx_ofi_tableau_rec | fields - _raw, _span, sourcetype, indexes, source, splunk_server, splunk_server_group
But sometimes trades change a value in their tool and generates a new csv with the same identifier idwallet and the same workdate. Only iddollaru changes and increments.
It is then that we generate a splunk report that contains all the datas but only csv updated with iddollaru most recent for the same idwallet and the same workdate.
I try this
index=idx_ofi_tableau_rec | eval id_trt = idwallet."-".workdate | stats first(*) by id_trt
but it doesn't work. Also I must not change the name of the field (With first, the field rename "first(field)"
Can you help me ? Thanks
... View more