I have a csv file on every computer and need to just search the last event for eveyy host. I can't get a search to work without searching every event on every host. I have used dedup, but it still searches every host.
Hi chadman
to get last value of a host field you can use last() function with stats cammand
see the following serch code
sourcetype="my source" | where Available_D < 100 | dedup host |stats last(host) as last_host| sort Available_D a |table last_host Available_D
I'd probably abstract this into a lookup file holding state. Specifically, keep in your lookup file the most recent event per host. When you update it incrementally, it is cheap -- and getting the current state from the lookup is super cheap.
A similar answer is here:
http://answers.splunk.com/answers/216701/how-to-send-an-alert-email-the-first-time-since-th.html
I tried that, but have not gotten it to work yet. I would think there would be an eaiser way to work with the last line from every host.
I will try to bake up a concrete example today/tonight of doing this via lookup. Check this space.
great, let me know if you come up with something
Here is an expensive way with ugly output using the map command
| stats count
| eval host="host_a,host_b,host_c"
| makemv delim="," host
| mvexpand host
| map search="search host=$host$ | head 1 "
Using your CSV file it might look like this...
| stats count
| inputlookup=host_csv
| map search="search host=$host$ | head 1 "
Here is what I use now and it works, but I think it's seaching every event. I only want it to look at the last event for every host to speed up the search. sourcetype="my source" | where Available_D < 100 | dedup host | sort Available_D a |table host,Available_D
Sorry, maybe I explained this incorrectly. I have a bunch of host that forward logs to Splunk in the form of a csv line every min. I want to do a search of every host, but only get the last line of the log that has been forwarded by the host. So instead of searching every event on each host, I just need to grab the last event for a sourcetype.