Just getting started with Splunk & after a little direction.
I have a SQL query that returns a list of requests that a database is handling and some info about those requests. I output the data as rows of key=value pairs & that's appearing nicely in Splunk (thanks to the various posts about how best to do this).
The one thing I'm struggling with is being able to show only the last set of rows output by the monitor. I include in the output a timestamp which is the same for all rows on each sample interval. The problem is I currently get all rows from all samples, when what I need is all rows from the last sample only - these have the latest/max/last timestamp.
My time format is "2013-05-17 17:41:25", but if needed I could output epoch if that's easier.
I'm sure this is a simple thing, but just starting out so need some pointers about where to look/approach.
Thanks
Ok, got a little further;
I think I've got a little further with this now, but I'm still getting multiple samples in my data. I should have said that each sample contains a variable number of rows - say 20-30, and I only want a table containing the that last block of samples.
Anyway - this is what I have;
monitoringInstance=myInstanceName | eval timeEpoch=strptime(timestamp, "%F %H:%M:%S") | stats max(timeEpoch) as lastSample | where timeEpoch=lastSample | table timeEpoch lastSample timestamp requestColumn1 requestColumn2 requestColumn3 requestColumn4
lastSample has the epoch of my last sample time. timeEpoch contains the conversion of timestamp as an epoch
I think it's the where clause that's letting me down.....or the fact it's wrong ;-)