Solved: Get the last Json Inserted document

sibbsnb · ‎05-01-2014

I have an Index where i store huge Json documents. I want the last document inserted which contains the latest state. What is the most efficient command.

1) tail 1
2) latest
3) dedup

richgalloway · ‎05-01-2014

Since Splunk searches backward in time, tail will give you the oldest entry rather than the latest. I prefer to use 'head 1' to find the most recent event.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎05-01-2014

Since Splunk searches backward in time, tail will give you the oldest entry rather than the latest. I prefer to use 'head 1' to find the most recent event.

---
If this reply helps you, Karma would be appreciated.

sibbsnb · ‎05-01-2014

Great, thanks a lot. That helps. So i don't even need to mention any time modifiers. Just do head 1 and i get the latest Json.

somesoni2 · ‎05-01-2014

If you just want one records which was inserted/indexed recently, head is the command you need. If you need last indexed records by a field (say host or user) then dedup or stats latest can be used.

Get the last Json Inserted document

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms