Solved: The latest event for each IP address

ritazreiby · ‎09-13-2012

i have a list of events , sorted by ip addresses , i would like to see only the latest event for each ip, i tried using head 1 but then it shows me only one IP with all its events, any suggestions?

BGP AND ((neighbor down) OR (neighbor up)) | rex "(?\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})" | stats count by IP_add

sdaniels · ‎09-13-2012

If you know how many hosts you are looking at then you could do it this way:

 <your search> | dedup IP_add | head X

I think this will show you the latest event for each IP_add. Just replace X with the number of IP addresses that you should be looking at.

View solution in original post

sdaniels · ‎09-13-2012

If you know how many hosts you are looking at then you could do it this way:

 <your search> | dedup IP_add | head X

I think this will show you the latest event for each IP_add. Just replace X with the number of IP addresses that you should be looking at.

ritazreiby · ‎09-14-2012

thanks !! works just fine !!

The latest event for each IP address

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio