Splunk Search

How to search for the the last data point in a graph for each host in a table?

minkyuk
Explorer

In a given graph, say,

[|inputlookup capacityQuarterOne.csv] in which I have a big table of [ host / used_mb ] for every different host.

The search runs for past x # of days (7 days, 30 days, 1 quarter, etc.).

How could I find the LAST point in the graph (final point) for each host in the table?
I just want to make sure it's less than max threshold cap, so I want to report the final point for every host in the graph.

I would highly appreciate any input from you Splucktians,

Thank you in advance,
Jack

Tags (3)
0 Karma
1 Solution

woodcock
Esteemed Legend

Like this:

... | dedup host

View solution in original post

0 Karma

woodcock
Esteemed Legend

Like this:

... | dedup host
0 Karma

minkyuk
Explorer

Isn't dedup just omitting duplicating elements?

0 Karma

woodcock
Esteemed Legend

It works by keeping the latest example of the deduped fields. It does exactly what you are desiring: keep the most recent event for each host.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...