Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to write a search that returns the most recent event for a sourcetype on every host?

chadman
Path Finder
‎04-09-2015 08:08 AM

I have a csv file on every computer and need to just search the last event for eveyy host. I can't get a search to work without searching every event on every host. I have used dedup, but it still searches every host.

Tags (3)
0 Karma
Reply

chimell
Motivator
‎04-15-2015 09:05 AM

Hi chadman
to get last value of a host field you can use last() function with stats cammand

see the following serch code

    sourcetype="my source" | where Available_D < 100 | dedup host |stats last(host) as last_host| sort Available_D a |table  last_host  Available_D
0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎04-09-2015 02:22 PM

I'd probably abstract this into a lookup file holding state. Specifically, keep in your lookup file the most recent event per host. When you update it incrementally, it is cheap -- and getting the current state from the lookup is super cheap.

A similar answer is here:

http://answers.splunk.com/answers/216701/how-to-send-an-alert-email-the-first-time-since-th.html

Reply

chadman
Path Finder
‎04-14-2015 05:46 AM

I tried that, but have not gotten it to work yet. I would think there would be an eaiser way to work with the last line from every host.

0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎04-14-2015 06:07 AM

I will try to bake up a concrete example today/tonight of doing this via lookup. Check this space.

0 Karma
Reply

chadman
Path Finder
‎04-15-2015 08:40 AM

great, let me know if you come up with something

0 Karma
Reply

bwooden
Splunk Employee
Splunk Employee
‎04-09-2015 08:57 AM

Here is an expensive way with ugly output using the map command

| stats count 
| eval host="host_a,host_b,host_c" 
| makemv delim="," host 
| mvexpand host 
| map search="search host=$host$ | head 1 "

Using your CSV file it might look like this...

| stats count 
| inputlookup=host_csv 
| map search="search host=$host$ | head 1 "

Better Solution

Actually, host info can be queried by metadata so this "Most recent event from each source?" answer from Ayn may be adapted to solve this problem more neatly.

0 Karma
Reply

chadman
Path Finder
‎04-09-2015 09:38 AM

Here is what I use now and it works, but I think it's seaching every event. I only want it to look at the last event for every host to speed up the search. sourcetype="my source" | where Available_D < 100 | dedup host | sort Available_D a |table host,Available_D

0 Karma
Reply

chadman
Path Finder
‎04-09-2015 09:24 AM

Sorry, maybe I explained this incorrectly. I have a bunch of host that forward logs to Splunk in the form of a csv line every min. I want to do a search of every host, but only get the last line of the log that has been forwarded by the host. So instead of searching every event on each host, I just need to grab the last event for a sourcetype.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...