Solved: Re: How to get results only from latest source fil...

avni26 · ‎10-16-2019

HI,
I got an index which send data to sourcetype with new source file every week.
what I want is to my dashboard search query only return events from the latest source file.
For example , my index is - index_sdx2 sourctype is -- splunk_data and there are multiple sources inside this sourcetype like data1.csv data1_10082019.csv data1_11102019.csv
And I want to take only data from latest source , that is all events from source= data1_11102019.csv
I tried like below
index="index_sdx2" sourcetype=splunk_data |eventstats first(_time) as time | where _time==time
But its not giving all data from source data1_11102019.csv
please suggest.

knielsen · ‎10-16-2019

I think

index="index_sdx2" sourcetype=splunk_data [search index="index_sdx2" sourcetype=splunk_data | head 1 | fields source]

should work.

View solution in original post

knielsen · ‎10-16-2019

I think

index="index_sdx2" sourcetype=splunk_data [search index="index_sdx2" sourcetype=splunk_data | head 1 | fields source]

should work.

avni26 · ‎10-16-2019

@knielsen, yes its working.Thank you. But performance is slow. Its taking too much time load in dashboard.

How to get results only from latest source file of particular sourcetype

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!