Solved: How to get the rows changed since last time I exec...

shahhe · ‎01-25-2011

Is there a way I can do a search so that it returns the rows inserted since last time I ran the query?

earliest=last time I ran the search

Thanks.

Paolo_Prigione · ‎01-26-2011

If you are speaking about a scheduled search, than the answer is definitely yes: you do that by playing with the frequency of execution and earliest/latest times. E.g. If you automatically run the query every 30 minutes, you might want to have:

... earliest=-31m@m latest=-1m@m

To pick 30 mnutes worth of data, but allowing splunk a 1 minute delay to index data which has just arrived.

If instead you are speaking about manual execution I don't think that is easily feasible.

View solution in original post

Paolo_Prigione · ‎01-26-2011

If you are speaking about a scheduled search, than the answer is definitely yes: you do that by playing with the frequency of execution and earliest/latest times. E.g. If you automatically run the query every 30 minutes, you might want to have:

... earliest=-31m@m latest=-1m@m

To pick 30 mnutes worth of data, but allowing splunk a 1 minute delay to index data which has just arrived.

If instead you are speaking about manual execution I don't think that is easily feasible.

Paolo_Prigione · ‎01-27-2011

I see...then why not use a saved and scheduled search, which fires your python script when it finds new events? The script would receive a csv of the new results and save you a headache 😉

shahhe · ‎01-26-2011

I have a python script that I want to run when certain event occurs and I want to get data that changed since last time I ran the query.
Right now I am saving the timestamp to the file and use it next time I run the query.

How to get the rows changed since last time I executed the query?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio