Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get latest 50 events based on real-time in my search?

prasi_17894
New Member
‎04-22-2020 10:01 AM

I am trying to fetch the latest 50 events by _time.

This is the search I used, putting required columns in a table:

index=intlims country!=US appSection!=DSIM* AND appSection!=Features AND appSection!=Price* services{}.name!="EvaluateIMSRule" AND services{}.name!="printShelfLabel"
| rename services{}.successful as servicesSuccessful, services{}.name as servicesName
| table country, site, servicesName, servicesSuccessful, _time

There are only a few items in the search results, but there are at least a million events.

country site    servicesName      servicesSuccessful    _time
MX  02731   GetProductLocations true                   2020-04-22 16:20:53
CA  03739   GetItemInfoForBin      true               2020-04-22 16:20:53
MX  03866   GetProductLocations true                  2020-04-22 16:20:53
UK  04844   GetProductLocations true                  2020-04-22 16:20:53
NI  04396   GetProductLocations true                  2020-04-22 16:20:53

Expected results are shown below, fetching the latest 50 events by time per servicesName, site and country:

country  site   servicesName        servicesSuccessful  _time
MX      02731   GetProductLocations   true             2020-04-22 16:20:53
MX      02731   GetProductLocations   true             2020-04-22 16:18:53
MX      02731   GetProductLocations   false            2020-04-22 16:16:53
MX      02731   GetProductLocations   true             2020-04-22 16:15:53


MX      02731   GetProductLocations   true             2020-04-22 16:00:53


CA      03739   GetItemInfo           true             2020-04-22 16:20:53
CA      03739   GetItemInfo           true             2020-04-22 16:19:53
CA      03739   GetItemInfo           false            2020-04-22 16:18:53



CA      03739   GetItemInfo           true             2020-04-22 15:20:53
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎04-22-2020 11:49 AM

You can use stats command with latest function and head command:

index=intlims country!=US appSection!=DSIM* AND appSection!=Features AND appSection!=Price* services{}.name!="EvaluateIMSRule" AND services{}.name!="printShelfLabel" 
| rename services{}.successful as servicesSuccessful, services{}.name as servicesName 
| table servicesSuccessful, _time, servicesName, site, country
| stats latest(*) as *  by servicesName, site, country
| head 50

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎04-22-2020 11:49 AM

You can use stats command with latest function and head command:

index=intlims country!=US appSection!=DSIM* AND appSection!=Features AND appSection!=Price* services{}.name!="EvaluateIMSRule" AND services{}.name!="printShelfLabel" 
| rename services{}.successful as servicesSuccessful, services{}.name as servicesName 
| table servicesSuccessful, _time, servicesName, site, country
| stats latest(*) as *  by servicesName, site, country
| head 50
0 Karma
Reply
Solved! Jump to solution

prasi_17894
New Member
‎04-23-2020 05:27 AM

@manjunathmeti Thank you.
The below query worked.

index=intlims country!=US appSection!=DSIM* AND appSection!=Features AND appSection!=Price* services{}.name!="EvaluateIMSRule" AND services{}.name!="printShelfLabel"
| rename services{}.successful as servicesSuccessful, services{}.name as servicesName
| table servicesSuccessful, _time, servicesName, site, country
| top 50 showcount=false showperc=false _time, servicesSuccessful by country, site, servicesName

0 Karma
Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...