I have one file that is pulled in by a universal forwarder setup.
This file is constantly changing on the system for which the file resides on, and the old data is never removed. I don't want the search to display historical data for each item as I only want Splunk to poll this data for the current date and have this data displayed. The file is a _json file with epoch time. Currently I have my SPL search and the following:
earliest =-0d@d latest=now
|dedup customer
|eval trigger=strftime(last_number, "%T %F %Z")
|table customer number trigger
|rename trigger as Date_Time
Would the above be accurate for me to attain only the results that I need? I only want to display the latest from this imported _json file for each customer based off the last_number field.
That should be fine if last_number
was used for _time
. If not, you need this (and probably a wider/longer time span for earliest
😞
earliest =-0d@d latest=now
| sort 0 - last_number
| dedup customer
| eval Date_Time=strftime(last_number, "%T %F %Z")
| table customer number Date_Time
That should be fine if last_number
was used for _time
. If not, you need this (and probably a wider/longer time span for earliest
😞
earliest =-0d@d latest=now
| sort 0 - last_number
| dedup customer
| eval Date_Time=strftime(last_number, "%T %F %Z")
| table customer number Date_Time
The stats latest(FIELD) as FIELD
command is going to be the best way to do this.
Your current query may fail if you run it very early in the morning at as 12:05 am.
Better to do something like SEARCH | stats latest(last_numer) as last_number
or even SEARCH | stats latest(*) as *` This will return the most recent of all fields.
Note that if you fields in the event change you might need some extra tricks that I can help you with.
All the best