Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Most recent set of events

wsw70
Communicator
‎03-05-2012 07:22 AM

Hello,

Some time ago I was looking for a way to search for events grouped around a date but I think it was an overkill. I changed the format of my events to include a creation time which is a timestamp (epoch) identical for all events which happened "at the same time".

What would be the splunk way to search for "events where TIMESTAMP=max(all TIMESTAMPs)". In other words I have, say, 3 groups of 100 events with a unique timestamp per group. I would like to display only the 100 events of the last group which has the largest timestamp.

Thank you!

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎03-05-2012 08:50 AM

Since Splunk always delivers the most recent results first, and since you've set up timestamping for the events to be based on your creation timestamp, you can use streamstats and head to terminate the search as soon as it has seen more than one timestamp:

... | streamstats dc(_time) as distinct_times | head (distinct_times == 1)

View solution in original post

Reply
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎03-05-2012 08:50 AM

Since Splunk always delivers the most recent results first, and since you've set up timestamping for the events to be based on your creation timestamp, you can use streamstats and head to terminate the search as soon as it has seen more than one timestamp:

... | streamstats dc(_time) as distinct_times | head (distinct_times == 1)
Reply
Solved! Jump to solution

bnorthway
Path Finder
‎11-13-2015 12:07 PM

Great tip! Don't forget you can use the reverse command before streamstats as well.

0 Karma
Reply
Solved! Jump to solution

nvonkorff
Path Finder
‎05-21-2014 05:15 PM

This works great, however is there a way to do this split by a variable? What I mean is I have a set of events each with a common time, but for multiple servers. I want to get the latest set of events by server.

Something like:

... | streamstats dc(_time) as distinct_times by server | head (distinct_times == 1)

I have played around with various permutations of the above, but cannot get it to do what I want.

0 Karma
Reply
Solved! Jump to solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎03-13-2012 08:00 AM

You can access the second batch by changing the head predicate to (distinct_times <= 2) and follow that with | search distinct_times = 2 to pick the second batch. The same is true for the n-th set.

0 Karma
Reply
Solved! Jump to solution

wsw70
Communicator
‎03-13-2012 07:42 AM

Thank you - works just great. Would you know if there is a way to access the second last, third last, etc. set of events (based on the same kind of timestamp)?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...