My question is similar to this: https://answers.splunk.com/answers/35759/keping-only-most-recent-events-for-a-fixed-field.html
Basically, I have scan data that looks something like this:
scanIDa,machine1,fail1
scanIDa,machine1,fail2
scanIDb,machine1,fail1
scanIDb,machine1,fail2
scanIDb,machine1,fail3
scanIDc,machine2,fail1
scanIDc,machine2,fail2
scanIDc,machine2,fail3
scanIDd,machine2,fail1
scanIDd,machine2,fail3
scanIDe,machine3,fail1
scanIDf,machine3,fail1
scanIDf,machine3,fail2
I want to keep all the data for *only* the most recent scan on each machine. So the end result of my search should be something like this:
scanIDa,machine1,fail1
scanIDa,machine1,fail2
scanIDc,machine2,fail1
scanIDc,machine2,fail2
scanIDc,machine2,fail3
scanIDe,machine3,fail1
I don't want to know about fail3 on machine1 anymore because it was fixed in a more recent scan.
scanID is a random value. Looks like an md5 hash or something. Whatever it is, it's not usable as a sort field.
Is this possible? Am I dreaming?
↧