Solved: only interested in the last line of the table for ...

bowa · ‎05-18-2011

I have a savedsearch thats on a dashboard that is run every hour.
It gives a table with or each hour of that day a row with some stats (like the % of slow transactions).

Now i would like to add an alert to this saved search, to be notified if the % of slow transactions is above a certain percentage.

A conditional alert with condition

search slowpct>10

does the trick ... but once we have had an hour with a lot of slow transactions it will always gets triggers.
So i am looking for a way to do this search only on the last row of my table with results so i only get an alert when that line has a slowpct>10 .

Ant1D · ‎05-18-2011

If you want the search to return the latest (top) row of your table, then add the following pipe after your search: | head 1

If you want the last (bottom) row of your table, then add the follwing pipe after your search:
| tail 1

View solution in original post

Ant1D · ‎05-18-2011

If you want the search to return the latest (top) row of your table, then add the following pipe after your search: | head 1

If you want the last (bottom) row of your table, then add the follwing pipe after your search:
| tail 1

Ant1D · ‎05-18-2011

No problem, it's a useful question

bowa · ‎05-18-2011

duh ... now i feel stupid :$

Thanks 🙂

only interested in the last line of the table for creating alerts

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio