We have a search that someone from Splunk helped us put together a few years ago that we altered a bit:
index="Firewall" AND host=
However it seems to show the oldest occurance rather than the newest occurance. All we want to see is the newest occurance. Any idea what in there is breaking that?
Thanks.
I think I figured it out. Seems that where you stick the dedup is important. So posting this works:
index="Firewall" AND host=
Where this doesn't:
index="Firewall" AND host=
Try inserting a "...| sort -time
" (ie. sort by descending order of time
)
Also, when I pair the search down to this:
index="Firewall" AND host=
It works like expected. But I'm not able to look at the "result table" at all.
Thank you. That doesn't seem to do it for me though for some reason. I don't want to sort the results per se; I want to change the results to show me instead only the most recent results.
I'm starting to think the search is flawed.
I don't know enough about splunk to know the difference, but I see 1 result under "results table" - the oldest one, and I see 40 results under "events list".
I don't understand why I see 40 events - the dedup should be stopping that. I also don't understand why, on "results table", I'm seeing the oldest one.