Splunk Search

Finding last event

bojanz
Communicator

What is the best (the most efficient) way of finding last (the most recent) events for certain hosts?

For example, I have a log in which multiple hosts log their AV definition number. I want to compare this with something else so I just need the most recent log per each server.

Currently I can do this by creating transactions for hosts and then using mvcount and mvindex to extract the most recent value, but this sounds awfully inefficient to me. Is there a better way to do this? (the map command sounds perfect but I've never been able to get it to work ..).

Tags (2)
1 Solution

David
Splunk Employee
Splunk Employee

Assuming you have fields extracted, have you tried:

YourSearch | stats first(DefNumber) by host

First will grab the first log that Splunk finds, which should always the most recent event, in this scenario.

View solution in original post

dwaddle
SplunkTrust
SplunkTrust

This isn't exactly what you're asking for, but it may be a starting point. You can use dedup to get the most recent "AV Definition" log event. And, from there, you can use addinfo to add the current time (of the search) to the search. Using these, you may be able to perform a search that gives you in effect "How long, from now, has it been since this system reported its AV definition number?"

AV definition | addinfo | dedup 1 host sortby -_time
| eval deltatime=((info_search_time-_time)/3600)
| where deltatime > 24
| table _time,host,deltatime

David
Splunk Employee
Splunk Employee

Assuming you have fields extracted, have you tried:

YourSearch | stats first(DefNumber) by host

First will grab the first log that Splunk finds, which should always the most recent event, in this scenario.

mitag
Contributor

Expanding the timeframe of such a search increases its "cost" - its time to run. I.e. Splunk does not stop searching when it finds the most recent event - it keeps going through all of them. This doesn't feel efficient to me.

Why this matters: if the task is get the value of a field in the last event in a search no matter when that last event happened (30 seconds ago? Two years?) - one should search "all time", and this will take a long, long time to complete across a decent size dataset. If on the other hand stats first could stop searching once it found the last event - that would dramatically decrease the cost.

0 Karma

primenetadmin
Engager

Very nice! Created a multiple process monitor like


index=os sourcetype=ps host=dcagsm*

| eval gsa_is_running=if(match(_raw, "GSA"), "GSA Running", "GSA Not Running")
| eval GSC_is_running=if(match(_raw, "GSC"), "GSC Running", "GSC Not Running")
| eval GSM_is_running=if(match(_raw, "GSM"), "GSM Running", "GSM Not Running")
| eval LH_is_running=if(match(_raw, "LH"), "LH Running", "LH Not Running")
| stats first(gsa_is_running) as GSA,
first(GSC_is_running) as GSC,
first(GSM_is_running) as GSM,
first(LH_is_running) as LH, by host
| search "Not Running"

0 Karma

bojanz
Communicator

Thanks, that should do it for this case 🙂

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

If you just want the events, vs a table of extracted fields (or if you need multiple fields), you can use YourSearch | dedup host, and if you know how many hosts you have, you might be able to make it finish faster with: YourSearch | dedup host | head X, where X is the number of hosts you want to see.

landen99
Motivator

dedup is inefficient because it searches every event from every host (all indexes/sourcetypes available) until you tell it to stop.

0 Karma

mslvrstn
Communicator

From quickly-find-the-time-since-the-last-event-logged-by-a-host, I use

| metadata type=hosts | sort recentTime desc | convert ctime(recentTime) as Recent_Time

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...