Solved: How to work on the latest event only?

zacksoft · ‎06-06-2018

I have my query ready which essentially extracts some fields and displays in a table.
But I want to work on the latest event only.
How do I put condition so that my query only works on the latest one event?

493669 · ‎06-06-2018

try head command:
Returns the first N number of specified results in search order

... | head 1

View solution in original post

harishalipaka · ‎06-06-2018

|sort _time |head 1

Thanks
Harish

zacksoft · ‎06-06-2018

Is |sort _time necessary ?
Won't |head 1 alone will do the job?
Just confirming.

harishalipaka · ‎06-06-2018

If it is realtime data it will come updated with head 1 ..or it is saved data it will directly give top of the value head 1 in this situation you have to sort _time than you will get top value as updated.

Thanks
Harish

493669 · ‎06-06-2018

even if there are duplicates, using head 1 it will took latest one

harishalipaka · ‎06-06-2018

below example explain how it is works .

| makeresults 
| eval A=45 
| eval DateHour="2018-06-06 18:47:22.820" 
| append 
    [| makeresults 
| eval A=30 
| eval DateHour="2018-06-06 18:45:22.820" ] 
| append 
    [| makeresults 
| eval A=50 
| eval DateHour="2018-06-06 18:57:22.000" ]  
| fields - _time
| head 1

Thanks
Harish

493669 · ‎06-06-2018

try head command:
Returns the first N number of specified results in search order

... | head 1

How to work on the latest event only?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!