Hello,
I have a script which runs every 4 hours and the output is written to Splunk, Everyday six are being written to Splunk.
I need to restrict events based on the time range I select, For an instance, When I look for the last 24 hours I need only one event to be shown, but actually there are six events in the last 24 hours, Similarly when I check for the last 7 days I need to see only 7 events i.e., one event from each day need to be displayed. I'm not sure if it's possible.
Try adding this to your search:
| bin _time span=1d | dedup _time
I think this gets you the last event of each day.
Thanks FrankVI for the prompt response!! It worked!!
You're welcome 🙂
Please mark the answer as accepted, so this can easily be found by others with the same question in the future 🙂