HI,
I got an index which send data to sourcetype with new source file every week.
what I want is to my dashboard search query only return events from the latest source file.
For example , my index is - index_sdx2 sourctype is -- splunk_data and there are multiple sources inside this sourcetype like data1.csv data1_10082019.csv data1_11102019.csv
And I want to take only data from latest source , that is all events from source= data1_11102019.csv
I tried like below
index="index_sdx2" sourcetype=splunk_data |eventstats first(_time) as time | where _time==time
But its not giving all data from source data1_11102019.csv
please suggest.
↧