Hi..
I have a index called "mydata" , sourcetype="my_data" ..
my sample event is something likethis
2013-05-12:00:12:34 reportname="X" Request ##############
..................
.
.............
Here in my sample event , i need to know the LastUpdate for the different report_names ...I have following reportnames in the eventdata ..so i need the report like this..
reprot_name LastUpdateTime
X 2012-05-12:4:34:00
Y 2012-05-12:4:04:00
...
How can i get this ..Please help !!
if you just want to list the latest timestamp for each reportname, you can use :
index=mydata sourcetype=mysourcetype source=mysource | stats latest(_time) AS LastUpdateTime by reportname | table reportname LastUpdateTime | sort -reportname
for details, see http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/CommonStatsFunctions
Hello Rakesh,
i would like to know how the monitor the data?
If the data is coming like you mentioned, doing a "table report_name, LastUpdateTime,_time|dedup report_name" will give you the latest records.
report names will be coming the logfile only....can you pls give the script to send me the last update time...cause i dnt want the run the the search for all time to find the last recent time for all the reportnames..
i wanted to know how the report names are being indexed. As an alternative you can also write a script and configure in inputs.conf to send you the last modified time for the report files.
i dont the file LastUpdateTime . 😞 .its not working ..monitor the data ??