Splunk Search

Display last results

jsmith39
Path Finder

I have a list of servers that do data backups to disk on a week night basis and I've built a query to display the results, and it works great, except on Mondays. Tues-Fri morning the query looks over the last 24 hours and tells me if something happened. Since the servers don't backup on Sat/Sun though, Monday morning I'm always have to tweak the time/date range to get results, and I'd like to change that.

My query is |inputlookup sosservers.csv | join type=outer ComputerName [search sourcetype="WMI:WinEventLog:Application" Database backed up BICS | stats count by ComputerName]

If I end it with .. | head 1 then I only get the last record of one of the 40+ servers it's looking at, so that won't work.

How can I change this query to simply return the latest results for each server in the WMI:WinEventLog:Application sourcetype?

Thank You

Tags (1)
0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

To only get the most recent event for each field, you can do this:

base search | streamstats count by field | where count=1

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

To only get the most recent event for each field, you can do this:

base search | streamstats count by field | where count=1

martin_mueller
SplunkTrust
SplunkTrust

Sure.

base search | streamstats latest(_time) as latest_time by field | where _time=latest_time
0 Karma

jsmith39
Path Finder

Thank You, that worked perfectly.
Unfortunately it raised another issue I hadn't though of.

The current query returns a field called count and places a 1 in that field. Which was good enough when I knew it had occurred in the last 24 hours. Now I don't know when it occurred unless I check it. Do you know how I could change the results in the count field to display the time/date stamp of the record it's referencing?

Thank You

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...