Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get results only from the last source file?

bruno_eduardo
Path Finder
‎11-20-2015 07:12 AM

Hi,

I got an index which continuously receive new source file automatically, what I want is to my search to only return events from the last source file. Should be something simple but I did not figure it out, maybe with the |head command.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎11-20-2015 07:37 AM

Like this (replace ... with the exact same base search; yes, twice):

... [ ... | stats latest(source) AS source ]

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎11-20-2015 07:37 AM

Like this (replace ... with the exact same base search; yes, twice):

... [ ... | stats latest(source) AS source ]
Reply
Solved! Jump to solution

jul1an
Engager
‎11-14-2017 04:33 AM

Yes!! In my case I have solved with head comand:

index=index1 source="file.csv" Status="Active" [search index=index1 source="file.csv" | dedup _time | head 1 | return _time] |...

Reply
Solved! Jump to solution

bruno_eduardo
Path Finder
‎11-20-2015 07:44 AM

Thanks!!!!

0 Karma
Reply
Solved! Jump to solution

bruno_eduardo
Path Finder
‎11-20-2015 07:56 AM

What about the Before Last?

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎11-20-2015 08:07 AM

Like this:

... NOT [ ... | stats latest(source) AS source ]
0 Karma
Reply
Solved! Jump to solution

bruno_eduardo
Path Finder
‎11-20-2015 08:34 AM

But I mean before last source file only

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎11-20-2015 08:52 AM

Did you try it? That's what it does.

0 Karma
Reply
Solved! Jump to solution

bruno_eduardo
Path Finder
‎11-20-2015 09:30 AM

Yes I tried, I have 20 source files for this index and when I do this I got 19, every each of them except the last one. What I need is only the 19th one. I already got the 20th with your answer, just need the before last.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎11-20-2015 06:02 PM

Like this:

... [ ... | dedup source | reverse | list(source) AS source| eval source=mvindex(source,1) ]

You can then adjust the 1 to whichever one you would like.

0 Karma
Reply
Solved! Jump to solution

bruno_eduardo
Path Finder
‎11-23-2015 06:48 AM

That is really great but don't solve the problem, This search would only help if I had a fixed number of source files, the problems is: The index continuously receive new source file automatically, so I would need to change the search every time.

0 Karma
Reply
Solved! Jump to solution

bruno_eduardo
Path Finder
‎11-23-2015 06:57 AM

Sorry it worked, without the |reverse, look:

index="myindex" [search index="myindex" | dedup source |stats list(source) AS source| eval source=mvindex(source,2) ]

this bring myu before last source file events.

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...