Splunk Search

How to get the first event from a search AND get 1 event in a timechart by source?

Arnaud1213
Explorer

Hi all,
How to get the first event from a search AND get only 1 event in a timechart by source ? (and not "by source, span interval):

If I try this search:

index=blabla sourcetype=blabla source=blabla1 "MySpecificFilter" | table _time, source, mySpecificValue

I can get for example 10 events in my source blabla1, 15 in the source blabla2, ... I want to select, for each source, the first one and to chart them with a timechart command.

Thank's in advance for help.

0 Karma
1 Solution

sundareshr
Legend

dedup is your friend

index=blabla sourcetype=blabla source=blabla1 "MySpecificFilter" | dedup source | table _time, source, mySpecificValue

View solution in original post

0 Karma

Arnaud1213
Explorer

Hi Martin,
Thank you for your message. Yes I agree: difficult to visualize the need, sorry.


_time source mySpecificValue
2016-11-15 13:17:04 E:\myLog\2016_1115_1222_3816.log 41497
2016-11-15 13:14:23 E:\myLog\2016_1115_1222_3816.log 41497
2016-11-15 13:11:42 E:\myLog\2016_1115_1222_3816.log 41170
2016-11-15 13:09:01 E:\myLog\2016_1115_1222_3816.log 40889
2016-11-15 13:06:18 E:\myLog\2016_1115_1222_3816.log 42621
2016-11-15 13:03:37 E:\myLog\2016_1115_1222_3816.log 41529
2016-11-15 13:00:54 E:\myLog\2016_1115_1222_3816.log 42501
2016-11-15 12:57:10 E:\myLog\2016_1115_1222_3816.log 103884
2016-11-15 12:24:19 E:\myLog\2016_1115_1222_3816.log 1.8514e+006
2016-11-16 13:17:04 E:\myLog\2016_1116_1222_3816.log 9872
2016-11-16 13:14:23 E:\myLog\2016_1116_1222_3816.log 1645
2016-11-16 13:11:42 E:\myLog\2016_1116_1222_3816.log 41684
2016-11-16 13:09:01 E:\myLog\2016_1116_1222_3816.log 15438
2016-11-16 13:06:18 E:\myLog\2016_1116_1222_3816.log 15879
2016-11-16 13:03:37 E:\myLog\2016_1116_1222_3816.log 1234
2016-11-16 13:00:54 E:\myLog\2016_1116_1222_3816.log 4254
2016-11-16 12:57:10 E:\myLog\2016_1116_1222_3816.log 5442
2016-11-16 12:24:19 E:\myLog\2016_1116_1222_3816.log 123456

Every days I get this type of logs (example of export from splunk with the query above). In one use case, I need to chart only the first event by source because they have a particular meaning, so:


2016-11-15 12:24:19 E:\myLog\2016_1115_1222_3816.log 1.8514e+006
2016-11-16 12:24:19 E:\myLog\2016_1116_1222_3816.log 123456

0 Karma

gokadroid
Motivator

Like @martin_mueller mentioned, timechart of a single value might not be of great value, but still check if this might suit your need:

index=blabla sourcetype=blabla source=blabla1 "MySpecificFilter" 
| chart latest(mySpecificValue) over _time by source

OR

index=blabla sourcetype=blabla source=blabla1 "MySpecificFilter" 
| timechart latest(mySpecificValue) by source

Depending on what you consider as the first value i.e. earliest, latest , first, last, use the appropriate function in chart command.
Reference of these functions can be found here.

0 Karma

Arnaud1213
Explorer

Thank you for your answer,
Unfortunately it does not work because all the events are returned (despite of using first or earliest...
I think 'dedup is my friend' as sundareshr mentioned.
Arnaud

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

What is that timechart of one value supposed to look like?
A little more background on your data and use case might help give a more useful answer

0 Karma

sundareshr
Legend

dedup is your friend

index=blabla sourcetype=blabla source=blabla1 "MySpecificFilter" | dedup source | table _time, source, mySpecificValue
0 Karma

Arnaud1213
Explorer

Thank you, it could help:
If I try my query as yours but by completing with a sort option, it seems working:


index=blabla sourcetype=blabla source=blabla1 "MySpecificFilter" | dedup source sortby +_time | table _time, source, mySpecificValue

--> I get the good result.

Arnaud

Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...