Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I get query only the last ten files from each device regardless of time range?

peterh26
New Member
‎03-12-2017 12:45 AM

I am looking at 10,000 devices and want to look at the last ten files each one has produced. Some will create 100 files a day, some 10 files per week, so I cannot use date, I need to be able to get a count out of the last ten files that violate specific criteria.

Tags (1)
0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎03-12-2017 10:41 AM

index=yourIndexName [index=yourIndexName | dedup host | fields host | return host] | dedup 10 source

Unfortunately there is a limitation of 10,000 on subsearches I believe. Besides this next one might be exactly what you need.

index=yourIndexName | dedup 10 host source | table host source | sort 0 host

Events returned by dedup are based on search order. For historical searches, the most recent events are searched first. For real-time searches, the first events that are received are search, which are not necessarily the most recent events.

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Dedup

0 Karma
Reply

peterh26
New Member
‎03-12-2017 07:15 PM

Thank you kat54! That works great. I was using a field that goes up by one for each subsequent sample run or "file": source|stats first("Service Counter") as frst last("Service Counter") as lst by "instr_id" |eval Range=(frst - lst) |where Range<10

The problem is that I want to have all ten most recent files for each device, then perform stats on the results (essentially filter the results and find the median, mean, or certain fields, as well the count of fields out of those ten files that meet the filtering requirements. I tried doing a join to the solution you gave me and the one I had come up with (yours is much more elegant and I have found a workaround using it). I am really new to Splunk and need some more time to test one more idea, but for now, I can export the solution you provided with the fields I need to perform stats on to Excel or SAS and do the refining there. Make sense? I'm not sure how much detail to go into.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎03-13-2017 12:59 PM

The dedup 10 will give the latest 10 results assuming timestamps are correctly ordered.

0 Karma
Reply

peterh26
New Member
‎03-19-2017 09:58 PM

thanks again, this has been an incredibly helpful tool in my analysis, much appreciated 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...