I have one file that is pulled in by a universal forwarder setup.
This file is constantly changing on the system for which the file resides on, and the old data is never removed. I don't want the search to display historical data for each item as I only want Splunk to poll this data for the current date and have this data displayed. The file is a _json file with epoch time. Currently I have my SPL search and the following:
earliest =-0d@d latest=now
|dedup customer
|eval trigger=strftime(last_number, "%T %F %Z")
|table customer number trigger
|rename trigger as Date_Time
Would the above be accurate for me to attain only the results that I need? I only want to display the latest from this imported _json file for each customer based off the last_number field.
↧
