Solved: The latest event for each IP address

ritazreiby · ‎09-13-2012

i have a list of events , sorted by ip addresses , i would like to see only the latest event for each ip, i tried using head 1 but then it shows me only one IP with all its events, any suggestions?

BGP AND ((neighbor down) OR (neighbor up)) | rex "(?\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})" | stats count by IP_add

sdaniels · ‎09-13-2012

If you know how many hosts you are looking at then you could do it this way:

 <your search> | dedup IP_add | head X

I think this will show you the latest event for each IP_add. Just replace X with the number of IP addresses that you should be looking at.

View solution in original post

sdaniels · ‎09-13-2012

If you know how many hosts you are looking at then you could do it this way:

 <your search> | dedup IP_add | head X

I think this will show you the latest event for each IP_add. Just replace X with the number of IP addresses that you should be looking at.

ritazreiby · ‎09-14-2012

thanks !! works just fine !!

The latest event for each IP address

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!