I am new to splunk query, could some one help with this please. I am trying to get the latest entry for each id
Sample data:
id=Id1 p1=12 p2=32 time=10:13
id=Id2 p1=34 p2=54 time=10:14
id=Id1 p1=1 p2=99 time=11:33
id=Id2 p1=5 p2=67 time=13:00
expected output:
Id1 1 99
Id2 5 67
The dedup command will do that. It removes all duplicate events based on the specified field(s) while keeping the most recent.
... | dedup id | ...
You also can use stats. This example selects the most recent value of p2 for each id. The stats command often is faster than dedup, but suffers the side-effect of discarding fields it doesn't use (keeping only 'p2' and 'id' in the example).
... | stats latest(p2) as p2 by id | ...