Splunk Search

Splunk Search

revatiy
New Member

I am new to splunk .

I am trying to search some events in splunk,What I want is get all results which have field
"co_relation_id" .One "co_relation_id" value is present in 4 to 6 different events.

I want to filter (sub search from those 4 to 6 records) and get just one specific record for each unique co_relation_id.

What function shall I use here,I need to use some specific search criteria for my sub-search

for instance when I type "co_relation_id" in search bar I get following results:

co_relation_id="A" record 1
co_relation_id="A" record 2
co_relation_id="A" record 3
co_relation_id="A" record 4
co_relation_id="B" record 1
co_relation_id="B" record 2
co_relation_id="B" record 3
co_relation_id="B" record 4

From all above I want two records co_relation_id="A" record 4 and co_relation_id="B" record 4

Thanks,

Tags (1)
0 Karma

revatiy
New Member

Thank you!

0 Karma

chris
Motivator

If record 4 is always the last record/event you are interested in you could try this:

base search | stats last(_raw) by co_relation_id

last(_raw) will give you the entire record/event if there is a specific field you are interested in you can use that instead of _raw

An example using the _internal index of Splunk would be:

index=_internal source="/opt/splunk/var/log/splunk/metrics.log" | stats last(_raw) as myraw by group 

If you do not want to display the co_relation_id (group in the example):

index=_internal source="/opt/splunk/var/log/splunk/metrics.log" | stats last(_raw) as myraw by group | fields myraw
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...