Splunk Search

How to restrict events based on the time range?

bollam
Path Finder

Hello,

I have a script which runs every 4 hours and the output is written to Splunk, Everyday six are being written to Splunk.
I need to restrict events based on the time range I select, For an instance, When I look for the last 24 hours I need only one event to be shown, but actually there are six events in the last 24 hours, Similarly when I check for the last 7 days I need to see only 7 events i.e., one event from each day need to be displayed. I'm not sure if it's possible.

Tags (1)
0 Karma

FrankVl
Ultra Champion

Try adding this to your search:

| bin _time span=1d | dedup _time

I think this gets you the last event of each day.

bollam
Path Finder

Thanks FrankVI for the prompt response!! It worked!!

0 Karma

FrankVl
Ultra Champion

You're welcome 🙂

Please mark the answer as accepted, so this can easily be found by others with the same question in the future 🙂

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...