Solved: How do I make a search that groups output and give...

lloyddavage · ‎12-13-2018

The below query works fine it. It displays all of the heartbeats generated. What I would like though is to show just the last heartbeat for each Category, Source. So I can display just the latest timestamp.

Currently, this lists all results desc. What I would like though is the results should be just the top 3 lines so grouped by host, EventCode, Category, EDSource, EDRecordID, EDTime. So it should in this instance display the top 3 lines. This will be across multiple hosts at some point and then can be displayed on a dashboard.

richgalloway · ‎12-13-2018

The stats command should do the job. Put this in your query prior to | table:

| stats latest(_time) as _time, latest(EDTime) as EDTime, values(Server) as Server, values(EventCode) as EventCode, values(EDRecordID) as EDRecordID by Category, EDSource

---
If this reply helps you, Karma would be appreciated.

View solution in original post

whrg · ‎12-13-2018

Hello @lloyddavage,

You can use the dedup command to remove events that contain the same field values.

This will give you the last 3 lines for each Category/EDSource combination:

yoursearch
| dedup 3 Category EDSource

richgalloway · ‎12-13-2018

The stats command should do the job. Put this in your query prior to | table:

| stats latest(_time) as _time, latest(EDTime) as EDTime, values(Server) as Server, values(EventCode) as EventCode, values(EDRecordID) as EDRecordID by Category, EDSource

---
If this reply helps you, Karma would be appreciated.

lloyddavage · ‎12-13-2018

Thank you very much

How do I make a search that groups output and gives the max date?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!