last indexed data

rsathish47 · ‎03-13-2014

How to search last indexed data in splunk?

somesoni2 · ‎03-13-2014

Does the data getting indexed have timestamp in it? If yes they are they all same for one import? Do the data have any field/combination of field to uniquely identify each row (to differentiate between different imports).

E.g. suppose data to be imported is CustomerId|CurrentBalance. then
import 1 CUS1|100
import 2 CUS1|110
import 3 CUS1|200

If you have CustomerId as unique field for one import, your can use

your base search | stats first(*) as * by CustomerId

richgalloway · ‎03-13-2014

Splunk offers a few search commands to help fetch the most recent data. Since Splunk always searches backwards in time, the first events found will be the most recent. Look at head, stats first(x), and stats latest(x).

---
If this reply helps you, Karma would be appreciated.

rsathish47 · ‎03-13-2014

hmm ok Thanks for reply

Ayn · ‎03-13-2014

But if you can't define this yourself, you can't expect Splunk to be able to define it either...

rsathish47 · ‎03-13-2014

Am not able to define that.. Thats the reason, I would like to know if any workaround to fetch latest data. without mention date time period

Ayn · ‎03-13-2014

How would you define "latest" as opposed to not latest?

rsathish47 · ‎03-13-2014

Example:
per day two/three times data get captured in splunk. I woluld like search only latest captured data .

last indexed data

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!