Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you pull out the latest entry "only" for the last numbers entered?

bzsplunk54
New Member
‎02-13-2019 02:31 PM

I have one file that is pulled in by a universal forwarder setup.

This file is constantly changing on the system for which the file resides on, and the old data is never removed. I don't want the search to display historical data for each item as I only want Splunk to poll this data for the current date and have this data displayed. The file is a _json file with epoch time. Currently I have my SPL search and the following: 

earliest =-0d@d latest=now
|dedup customer
|eval trigger=strftime(last_number, "%T %F %Z")
|table customer number trigger
|rename trigger as Date_Time

Would the above be accurate for me to attain only the results that I need? I only want to display the latest from this imported _json file for each customer based off the last_number field.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎02-13-2019 04:46 PM

That should be fine if last_number was used for _time. If not, you need this (and probably a wider/longer time span for earliest😞

earliest =-0d@d latest=now
| sort 0 - last_number
| dedup customer
| eval Date_Time=strftime(last_number, "%T %F %Z")
| table customer number Date_Time

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎02-13-2019 04:46 PM

That should be fine if last_number was used for _time. If not, you need this (and probably a wider/longer time span for earliest😞

earliest =-0d@d latest=now
| sort 0 - last_number
| dedup customer
| eval Date_Time=strftime(last_number, "%T %F %Z")
| table customer number Date_Time
0 Karma
Reply
Solved! Jump to solution

chrisyounger
SplunkTrust
SplunkTrust
‎02-13-2019 03:29 PM

The stats latest(FIELD) as FIELD command is going to be the best way to do this.

Your current query may fail if you run it very early in the morning at as 12:05 am.

Better to do something like SEARCH | stats latest(last_numer) as last_number or even SEARCH | stats latest(*) as *` This will return the most recent of all fields.

Note that if you fields in the event change you might need some extra tricks that I can help you with.

All the best

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...